Re: [OAUTH-WG] Public client cloning
Nat Sakimura <sakimura@gmail.com> Wed, 11 September 2019 00:51 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9039612000F for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2019 17:51:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cEgPqrXVGtqF for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2019 17:51:42 -0700 (PDT)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79C4912007A for <oauth@ietf.org>; Tue, 10 Sep 2019 17:51:42 -0700 (PDT)
Received: by mail-pf1-x429.google.com with SMTP id y5so9809194pfo.4 for <oauth@ietf.org>; Tue, 10 Sep 2019 17:51:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:message-id:in-reply-to:references:subject :mime-version; bh=/8o5YkoRtwtGSeQdibqqODdPidptNTHfT0dZ1/XaUlc=; b=BQE4vyuZvfVwaTNl/zR/8mSOv8V/6GZNWMW7UnGktAxXbV9ekrozhPUhn8rFr0XzCo BODk5RJiVT5Xee6WJd1emwkgcblroMAeATrYB1ze2PrfafnWGVqChhkfRARtBGJ5wNHe kEYWi8ZJ5eQOEnRwLParVjmScg5zTa5KWZyhwMXhsKaPUs7ZHsGrfvxZU0BIbGvy88Vt dZ79neGUKdCLy4zKP32REGAy2SekcfUMcl98/eA3tYcQ08lTp9h/pMSGYqxad95Xi0N9 ASDnT3rntFQGK4+cW6sIBLgwmofIMUenrUnubELefkNKANq4fqOIgJtX1Wtv/pTPuBsW eHpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:message-id:in-reply-to :references:subject:mime-version; bh=/8o5YkoRtwtGSeQdibqqODdPidptNTHfT0dZ1/XaUlc=; b=aeKABzyaEsgwl65Rzs1UJkz36WW0zWicqfUwQQR85UxDJxyC9jK1J6bjZJcD4xNc59 ER8NzBOABNUARuZCc6GydxzeuUX6BDWQS47TN8pJOMYeGOyy1qutMrzfYRuuuRO4wV59 AuQDUDOE7lJaU0iWpCLyVmYuglVeH1AYcVvysRi+NouUHZ3QH2kIBKijALhAsQRv9B90 GdJ85FMuQ/tcTK5nJsFcSrK7mg5s97lFSGLHuLOp/EH23xpMh7Q/i/sePiLPTI1HXpez yzvttpI+XJQdl0tfBIjO5aVR9d/CwP/oQAoJsFLRqRq43p+LxItZraJcOVWnpl/QgbhB eVow==
X-Gm-Message-State: APjAAAVy3D61wurb3Rhi/0DJlyz1o5dDB1VqsumZb8h//cKD0FHGv7M2 6aouYQGkdyKEH5f40A3f5Hs=
X-Google-Smtp-Source: APXvYqxmZwexPb2BX4rBcZ7LD29frdtjXFq+NUmYWoWGz2AmScc3CN1tO6KSGISPwFDViE1paXphIw==
X-Received: by 2002:a65:65c5:: with SMTP id y5mr30146170pgv.342.1568163101167; Tue, 10 Sep 2019 17:51:41 -0700 (PDT)
Received: from localhost ([2001:240:2405:add8:4808:75d4:5911:fd84]) by smtp.gmail.com with ESMTPSA id m19sm760365pjv.9.2019.09.10.17.51.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Sep 2019 17:51:40 -0700 (PDT)
Date: Wed, 11 Sep 2019 09:51:24 +0900
From: Nat Sakimura <sakimura@gmail.com>
To: Marius Scurtescu <marius.scurtescu@coinbase.com>, Masakazu OHTSUKA <o.masakazu@gmail.com>
Cc: oauth mailing list <oauth@ietf.org>, Filip Skokan <panva.ip@gmail.com>
Message-ID: <9e3c2bee-6d15-4073-9d50-ef5454405cd9@Spark>
In-Reply-To: <CAP=REHEN4JVB5xSAj6YZZNeoygPEWueyOXrbU=xuosVU5Z359Q@mail.gmail.com>
References: <CAP=REHFHeJT=w4ZCmHYJaL4QFQvntWqPTRaXVCH-fz4FciHh5A@mail.gmail.com> <CABpvcNufpaTRk3BnjJs26b5d9k_8+hd5ZEdFjsmtViTokJiXVg@mail.gmail.com> <CAP=REHEN4JVB5xSAj6YZZNeoygPEWueyOXrbU=xuosVU5Z359Q@mail.gmail.com>
X-Readdle-Message-ID: 9e3c2bee-6d15-4073-9d50-ef5454405cd9@Spark
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="5d784515_5c03170e_4c31"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NqDZOTLV1ENm9T0y1Tlo78PUYzA>
Subject: Re: [OAUTH-WG] Public client cloning
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2019 00:51:45 -0000
As Filip mentioned, I feel that claimed HTTPS URI would help. Further, if that is used within the dynamic client registration, it could be more secure. The security assumptions are 1. Phone is not rooted; 2. App Store's vetting of claimed URI is not compromised; etc. Nat Sakimura Chairman, OpenID Foundation https://nat.sakimura.org 2019年9月11日 4:27 +0900、Masakazu OHTSUKA <o.masakazu@gmail.com>のメール: > I see. > > Then is this understandable to think from the Authorization Server's point of view ... > > If phone being compromised is a threat that the Client cares, > AS might be interested in NOT supporting public Clients, > and forcing the Client to have a server side, do client authentication, and have some way to hold a session between the native app and it's server side. > > Because if phone is compromised, when AS supports public Clients and access_token leaks, it's kind of AS's fault (well depending on the terms...), > but if whatever the means that the phone app and it's server side keeps a session leaks, it's NOT the AS's fault. > > > > On Tue, Sep 10, 2019 at 8:23 PM Marius Scurtescu <marius.scurtescu@coinbase.com> wrote: > > > If the phone is compromised, original app replaced by malicious app, then RFC8252 will not help. The assumption is that the phone is not compromised. > > > > > > > On Tue, Sep 10, 2019 at 9:58 AM Masakazu OHTSUKA <o..masakazu@gmail.com> wrote: > > > > > Hi, > > > > > > > > > > I've read rfc8252 and have questions about native apps, that I couldn't find answers on Internet. > > > > > > > > > > Imagine an attacker doing: > > > > > 1. original app and authorization server conforms to rfc8252 4.1. Authorization Flow for Native Apps Using the Browser > > > > > 2. clone the original app, name it malicious app and install on the target phone > > > > > 3. remove the original app from the target phone > > > > > 4. use the malicious app and authorize, OS will invoke malicious app using custom URL scheme > > > > > 5. now malicious app has access to the access token > > > > > > > > > > How should we think about this? > > > > > What am I missing? > > > > > > > > > > _______________________________________________ > > > > > OAuth mailing list > > > > > OAuth@ietf.org > > > > > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Public client cloning Masakazu OHTSUKA
- Re: [OAUTH-WG] Public client cloning Marius Scurtescu
- Re: [OAUTH-WG] Public client cloning Filip Skokan
- Re: [OAUTH-WG] Public client cloning Masakazu OHTSUKA
- Re: [OAUTH-WG] Public client cloning Nat Sakimura
- Re: [OAUTH-WG] Public client cloning Masakazu OHTSUKA
- Re: [OAUTH-WG] Public client cloning Justin Richer