Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation

Mike Jones <> Thu, 21 January 2016 08:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 56B361A036C for <>; Thu, 21 Jan 2016 00:04:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dQ73JpD_Gc9E for <>; Thu, 21 Jan 2016 00:04:19 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fc10::792]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A4AAB1A036F for <>; Thu, 21 Jan 2016 00:04:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=g5M8bbQrIBMmBrpm6PC9Cqzk71EbJ8tzxHdcJHgtpVg=; b=O39KkY0V8EKJXOCy3w6sIFDtLovX4WZGoMC71etzAcZjxpA1fCcUv3EePOJ/Z1H57ih3UPVsOJdzhTeiTy9N6X3lMlPf0wWRR0BELn3fvrMLQG+ezrrx1D1BMqO2ltqRcV6LHRNOtYko1q08N2NtGL5uoA4QYa7y7E78c4Ud0Xg=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.365.19; Thu, 21 Jan 2016 08:04:00 +0000
Received: from ([]) by ([]) with mapi id 15.01.0365.024; Thu, 21 Jan 2016 08:04:00 +0000
From: Mike Jones <>
To: nov matake <>
Thread-Topic: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation
Date: Thu, 21 Jan 2016 08:03:59 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 9634aa49-7d42-4abf-3da1-08d322396b92
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:foK5KKYOWGEFBzyr+FGHHR2UOGrVBUgMFMblLZ3aHBx/anm12EMgyQncpajJgCffhXY5nkEkl7xChZqPA+r3tt0CZNGXo8AVT0rx8iAUqLLi+kaRSS5oLbz+IowhcDGG0Px3/ch6mAf5Hp6jeuOVCQ==; 24:YszxoEUk8y56xZ36F3KU20brCcm5kMd5mkBkdRdg7MbJKevhBYP4+knr3LbAIv/LSVP5NFxX2FjrYE6EL/2lt4iNBDOtNA0pa5Hv5ThM0+o=
x-exchange-antispam-report-test: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; UriScan:(149059832740258);
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(520078)(5005006)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 08286A0BE2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(13464003)(189002)(479174004)(377454003)(199003)(164054003)(24454002)(102836003)(790700001)(2900100001)(40100003)(5003600100002)(8990500004)(19580405001)(1600100001)(86362001)(77096005)(19617315012)(33656002)(93886004)(19625215002)(5001960100002)(50986999)(19580395003)(76176999)(19300405004)(16236675004)(1411001)(99286002)(74316001)(5002640100001)(15975445007)(81156007)(97736004)(15395725005)(122556002)(86612001)(54356999)(5002510100001)(11100500001)(66066001)(101416001)(92566002)(586003)(19609705001)(3846002)(2950100001)(5008740100001)(105586002)(10290500002)(189998001)(1096002)(110136002)(10090500001)(6116002)(76576001)(4326007)(10400500002)(5005710100001)(5004730100002)(1220700001)(106356001)(2906002)(87936001)(15940465004)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4420A5F143FBCCEA01265D8F5C30BY2PR03MB442namprd_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jan 2016 08:04:00.0254 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Jan 2016 08:04:24 -0000

Sorry to be slow responding, Nov.  I wanted to wait to respond until a draft with the “state” token request parameter was published, which just happened.

I think the oauth-meta spec solves some of them but not others.  There were a bunch of different attacks discussed by the security researchers in Darmstadt (see the notes at, some with interdependencies between them.  There are reasons, for instance, for sending the “state” value to the token endpoint so that the authorization server can check it.  The mitigations involve validations by both the client and the server – not all of which the oauth-meta draft includes.

Also, see the current discussion in the thread “[OAUTH-WG] Call for Adoption”.  In short, I think there should be one solution approach that we work on for this, not two.

                                                Best wishes,
                                                -- Mike

From: nov matake []
Sent: Monday, January 11, 2016 10:45 PM
To: Mike Jones <>
Cc: Hans Zandbelt <>; George Fletcher <>;
Subject: Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation

Hi Mike,

Isn’t Nat’s "OAuth Response Metadata” spec enough to solve those issues?

On Jan 12, 2016, at 05:40, Mike Jones <<>> wrote:

The specification describes this validation method (comparison of the issuer received to the issuer recorded at registration time) in step 2 of Section 4 (Validating the Response).  In fact, I added this in response to your feedback on an earlier draft, Hans.

-----Original Message-----
From: Hans Zandbelt []
Sent: Monday, January 11, 2016 12:34 PM
To: Mike Jones <<>>; George Fletcher <<>>;<>
Subject: Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation

I disagree that validating endpoints "at this step" (which refers to right before making the token request) should be the default way of handling this. The vast majority of OAuth client deployments connecting to more than one AS will have a static configuration of the ASes issuer/endpoint information anyhow and they just need to confirm that the issuer value received in the authorization response is the same issuer as that the request was sent to.


On 1/11/16 1:14 PM, Mike Jones wrote:


*From:*George Fletcher []
*Sent:* Monday, January 11, 2016 12:13 PM
*To:* Mike Jones <<>>;<>
*Subject:* Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation

So just to make sure I understand...

This specification requires the response from the Authorization Server
to an successful /authorize call to pass back code=, state= and jwt= (?)
or individually iss= and aud= as URL parameters on the 302 to the
redirect_url. This way, before the client issues a call to the /token
endpoint (with the code), it can verify that the token endpoint is correct.

If the client doesn't validate the endpoints at this step, then it could
disclose it's secret to a malicious endpoint. Correct?


On 1/11/16 2:59 PM, Mike Jones wrote:

   The alternatives for the code flow are to return them either in a
   new JWT added to the reply containing them in the "iss" and "aud"
   claims or to return them in new individual "client_id" and "iss"
   authorization response parameters.  Both alternatives are described
   in the draft.  I'm sure that we'll now be having a good engineering
   discussion on the tradeoffs between the alternatives.,

   In a separate draft, John Bradley will shortly also be describing
   the possibility of securing the "state" value using a "state_hash"
   value that works in a way that's similar to how "at_hash" and
   "c_hash" secure the "access_token" and "code" values in Connect.
   This would be an alternative means of binding the authorization
   request and response to the session - accomplishing the same thing
   that the Connect "nonce" does.

   While I fully get that some OAuth implementations want to avoid
   having to have crypto, it seems like at least support for
   cryptographic hashing (SHA-256, etc.) may be necessary to mitigate
   some of these attacks (at least for clients that use more than one
   authorization server).

   The other important engineering discussion I know we're going to
   have is whether, when an OAuth profile already returns the
   information needed for the mitigation, whether we want to specify
   that the client obtain it from the existing location, or whether to
   also return it in a duplicate location.  I'll note that OpenID
   Connect already returns the client ID and issuer for the flows that
   return an ID Token in the authorization response, so this isn't a
   hypothetical question.

   Finally, I know that we'll need to discuss the impact of
   cut-and-paste attacks when the issuer and client ID are returned as
   individual authorization response parameters that are not
   cryptographically bound to the rest of the response.  The
   cut-and-paste attack that returning the issuer and client_id values
   as separate parameters enables, even when state_hash or nonce is
   used, is for the attacker to capture the legitimate response
   containing "iss" and "client_id" results and substitute different
   values for these fields, then post that altered response to the
   legitimate client.  The state and/or nonce values are protected
   against substitution but "iss" and "client_id" are not.

   And yes, I absolutely agree that good examples are essential.
   That's high on my list for the -01 version.

                                                              Thanks a

                                                              -- Mike

   *From:*George Fletcher []
   *Sent:* Monday, January 11, 2016 10:21 AM
   *To:* Mike Jones <<>>
   *Subject:* Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation

   Thanks Mike. One question after reading about the different attack
   vectors and this spec...

   How are the 'iss' and 'aud' values returned with the 'code' and
   'state' parameters. It seems the client needs to verify the
   endpoints before making the request to exchange the code for a
   token. If the client is using the default OAuth2 client_id and
   client_secret these values will be sent to the malicious endpoint if
   the client can't verify the endpoints before hand.

   Also, it would be nice to add some non-normative examples to the spec.


   On 1/11/16 4:27 AM, Mike Jones wrote:

       Yesterday Hannes Tschofenig announced an OAuth Security Advisory
       on Authorization Server Mix-Up
       This note announces the publication of the strawman OAuth 2.0
       Mix-Up Mitigation draft he mentioned that mitigates the attacks
       covered in the advisory.  The abstract of the specification is:

       This specification defines an extension to The OAuth 2.0
       Authorization Framework that enables an authorization server to
       provide a client using it with a consistent set of metadata
       about itself. This information is returned in the authorization
       response. It can be used by the client to prevent classes of
       attacks in which the client might otherwise be tricked into
       using inconsistent sets of metadata from multiple authorization
       servers, including potentially using a token endpoint that does
       not belong to the same authorization server as the authorization
       endpoint used. Recent research publications refer to these as
       "IdP Mix-Up" and "Malicious Endpoint" attacks.

       The gist of the mitigation is having the authorization server
       return the client ID and its issuer identifier (a value defined
       in the OAuth Discovery specification
       <>) so that the client can verify
       that it is using a consistent set of authorization server
       configuration information, that the client ID is for that
       authorization server, and in particular, that the client is not
       being confused into sending information intended for one
       authorization server to a different one.  Note that these
       attacks can only be made against clients that are configured to
       use more than one authorization server.

       Please give the draft a quick read and provide feedback to the
       OAuth working group.  This draft is very much a starting point
       intended to describe both the mitigations and the decisions and
       analysis remaining before we can be confident in standardizing a
       solution.  Please definitely read the Security Considerations
       and Open Issues sections, as they contain important information
       about the choices made and the decisions remaining.

       Special thanks go to Daniel Fett (University of Trier),
       Christian Mainka (Ruhr-University Bochum), Vladislav Mladenov
       (Ruhr-University Bochum), and Guido Schmitz (University of
       Trier) for notifying us of the attacks and working with us both
       on understanding the attacks and on developing mitigations.
       Thanks too to Hannes Tschofenig for organizing a meeting on this
       topic last month and to Torsten Lodderstedt and Deutsche Telekom
       for hosting the meeting.

       The specification is available at:


       An HTML-formatted version is also available at:


                                                                  -- Mike

       P.S.  This note was also posted at and as @selfissued


       OAuth mailing list<> <>


   Chief Architect

   Identity Services Engineering<> <>

   AOL Inc.                          AIM:  gffletch

   Mobile: +1-703-462-3494           Twitter:

   Office: +1-703-265-2544           Photos:<>


Chief Architect

Identity Services Engineering<> <>

AOL Inc.                          AIM:  gffletch

Mobile: +1-703-462-3494           Twitter:

Office: +1-703-265-2544           Photos:<>

OAuth mailing list<>

Hans Zandbelt              | Sr. Technical Architect<> | Ping Identity

OAuth mailing list<>