Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

William Denniss <wdenniss@google.com> Sat, 20 February 2016 08:49 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADF3E1A1ADB for <oauth@ietfa.amsl.com>; Sat, 20 Feb 2016 00:49:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.384
X-Spam-Level:
X-Spam-Status: No, score=-1.384 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AEmabRux083e for <oauth@ietfa.amsl.com>; Sat, 20 Feb 2016 00:49:28 -0800 (PST)
Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 941721A1AE3 for <oauth@ietf.org>; Sat, 20 Feb 2016 00:49:28 -0800 (PST)
Received: by mail-ob0-x236.google.com with SMTP id gc3so127163314obb.3 for <oauth@ietf.org>; Sat, 20 Feb 2016 00:49:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=6KDpHbFlgI3EObrV1JAZzpDdaHxmJqADECxBYiAkM4E=; b=Ek2LHFrrLJ9Ud9CCL8E4Rgr493w7+tYdLqxGQFGNpVw2xz/idXxQ+ctZqNCX7LlSl7 gFxrowZjqdk4Xfa8tS0Sp+5ZsypvesxdiZ/Qz4o6/BZKS4xUSdFa+UpOD8YekChad4/j CDG3kIDWrlzwgXekMzOaP/hUnc8S1OlCgmK+8CA+u72eCNU3wgZiL73qiHFDJWwHLL5Q USYjsvUk6kX03imSgbOoMbJYIEC4WWbLRxGatGfqYM4MTIbzQNziIGYfOGG+lnsv0zIx ZNH7rqIjFPm7wb14pCRJpX8L3Nouevw4CFUfDrl+DBazIuy+l7uSvyaKJiVIdEp8dfB3 TUJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=6KDpHbFlgI3EObrV1JAZzpDdaHxmJqADECxBYiAkM4E=; b=Ci+Q0rZM7AGkUQerQg43k8G3wTIz5Av3sVdTERl8r7SfIUkAqmHVYCM/bmPe0WDVVB aW0j5SK45bFT6nk5HdzE35zE9FCc7xMGCVOf08UQO2ETlNpQOBmltT4O7wNnlaltace4 ZS4+r8bin1fl24Wx5G7+rU+Zdwmqi4W+nD7p7F2Ae3upa8Y11ZmEn/0GkIuIlVaba1eg VpZ+PvGTMrQmkrO7+AE7HRzM3REVhZmz51ToqiP/CGab8Go1ByGzNye7XdlBAIh6uGGZ ZQaPjgK8xWf0dn5AFOP0aV/9iBfK2G1U/K8oV3/OZJWQngTdYLGyxarFPMFvhtCE6f/N q55Q==
X-Gm-Message-State: AG10YOS0GoxVxivr931r7GSsibOmddhDq3AQ5SyxRk7iWTQ6vS4+LnO/vmu3ku2mjmGwhTFMOrlsHMjhDg4ZEPXk
X-Received: by 10.60.226.163 with SMTP id rt3mr14905510oec.11.1455958167845; Sat, 20 Feb 2016 00:49:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Sat, 20 Feb 2016 00:49:08 -0800 (PST)
In-Reply-To: <88DE9988-2CDB-4206-86CE-E7EFF93FB27A@oracle.com>
References: <56C7702B.2000401@gmx.net> <BY2PR03MB442E9BF84AFA890378C5116F5A00@BY2PR03MB442.namprd03.prod.outlook.com> <56C77D92.5050203@pingidentity.com> <88DE9988-2CDB-4206-86CE-E7EFF93FB27A@oracle.com>
From: William Denniss <wdenniss@google.com>
Date: Sat, 20 Feb 2016 00:49:08 -0800
Message-ID: <CAAP42hD96u0Nepdo8YcHeXEo2v1Mo=a_Zo4OcS9ppu7rU-=8Ag@mail.gmail.com>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary=001a11369a06674b54052c2fad42
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/O45noc63gBDF_vhN0VijwLsjEFA>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Feb 2016 08:49:31 -0000

Maybe it's because I wasn't at the Darmstadt meeting so I don't have the
full context, but I don't find draft A
<https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01> to be
all that clear. Here's my review feedback:

Regarding the text "a client may be confused simply because it is receiving
authorization responses from more than one authorization server at the same
redirection endpoint". Even if the client re-uses the same redirection
endpoint, shouldn't state solve this? All incoming responses should have an
outgoing request with a matching state that would identify the
authorization request and therefore authorization server.


For the issue of dynamic discovery and the potential to insert a malicious
discovery document: can the recommendation be to use the hybrid flow of
Connect if you do discovery (and validate the issuer before exchanging the
code)?  Do we need to invent something new for this use-case?

Regarding sections 5 & 6 ("Mitigation Data Sent to the Token Endpoint"),
this describes something that seems similar to what is achieved by PKCE
(RFC7636). Binding information to the authorization code that must be
presented to redeem the code is precisely what PKCE does, and PKCE has
additional security properties. With the PKCE S256 challenge method, the
authorization request and response can leak in their entirety, and yet
still the attacker couldn't exchange the authorization code. Let's just
recommend RFC7636 for this mitigation.

The security researcher documents are only informative references, and yet
the spec seems to rely on them normatively. E.g.:
*  "Mitigating the attacks also relies on the client sending additional
data about the interaction to the token endpoint" (how does this mitigate
the attacks? and what attack exactly?).
*  "a client may be confused simply because it is receiving authorization
responses from more than one authorization server"  (why is the client
confused?)
I would like to see the attacks normatively described in the spec.

For my own knowledge: what are some of the use-cases that are subject to
these attacks? I'm not convinced every RP that talks to more than 1 AS is
at risk today. What are some risky situations that exist which are
mitigated by this draft?



On Fri, Feb 19, 2016 at 9:12 PM, Phil Hunt (IDM) <phil.hunt@oracle.com>
wrote:

> Option A
>
> Phil
>
> > On Feb 19, 2016, at 13:39, Hans Zandbelt <hzandbelt@pingidentity.com>
> wrote:
> >
> > Option A: I agree with Mike that the complexity and implementation cost
> of Option B will make adoption harder, which was also a concern with the
> first iteration of Option A.
> >
> > To be honest, I'm not sure most people would even understand why the
> complexity would be required and just forget about it. At least with the
> simplicity of the most recent option A they don't have to care, just add
> some simple parameters/checks.
> >
> > And for the record: I've also implemented option A in the
> mod_auth_openidc [1] and lua-resty-openidc [2] clients for Apache and NGINX
> respectively.
> >
> > Hans.
> >
> > [1] https://github.com/pingidentity/mod_auth_openidc
> > [2] https://github.com/pingidentity/lua-resty-openidc
> >
> >> On 2/19/16 9:18 PM, Mike Jones wrote:
> >> Option A.  I have higher confidence that this specification solves the
> >> problems because it was designed during a 4-day security meeting
> >> dedicated to this task by a group of over 20 OAuth security experts,
> >> *including both sets of researchers in Germany who originally identified
> >> the problem*.  This solution has also been implemented and interop
> >> tested by Roland Hedberg, Brian Campbell, and I believe others.  Note
> >> that the reason I am advocating this specification is **not** because
> >> I'm an editor of it; my role was to record in spec language what the
> >> OAuth security experts designed together over the 4-day period in
> Darmstadt.
> >>
> >> I’ll also note that even if Option B also solves the problem, it comes
> >> at significant adoption costs and complexity not found in A.  In
> >> particular, it requires that developers understand support a new “Link
> >> Relation” syntax not used elsewhere in OAuth.  As Nat writes about his
> >> own draft in
> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15789.html -
> there
> >> is not a standard JSON syntax for link relations.  He writes “we could
> >> easily create a parallel to it”.  I’d rather we solve the problem using
> >> standard mechanisms already employed in OAuth, rather than risk
> >> bifurcating OAuth in the developer community by unnecessarily
> >> inventing/creating new syntax that is unfamiliar to developers and that
> >> many of them may reject using.
> >>
> >>                                                           -- Mike
> >>
> >> P.S.  Information about the OAuth security meeting can be found at
> >>
> https://docs.google.com/document/d/136Cz2iwUFMdoKWZPCqZRhkmfmHAlJ6kM5OyeXzGptU4/edit
> >> and
> >>
> https://docs.google.com/document/d/1cRa11EgimnTeJZR1-PUpNRpi_u_EoSpO5NtakVbA_sk/edit
> >> .
> >>
> >> -----Original Message-----
> >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes
> Tschofenig
> >> Sent: Friday, February 19, 2016 11:43 AM
> >> To: oauth@ietf.org
> >> Subject: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for
> >> Adoption
> >>
> >> Early February I posted a mail to the list to make progress on the
> >> solution to the OAuth Authorization Server Mix-Up problem discovered
> >> late last year.
> >>
> >> Here is my mail about the Authorization Server Mix-Up:
> >>
> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15336.html
> >>
> >> Here is my mail to the list that tries to summarize the discussion
> >> status and asked a few questions:
> >>
> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15697.html
> >>
> >> Unfortunately, my mail didn't lead to the intended success. While there
> >> was some feedback I wasn't getting the desired response.
> >>
> >> In order to move forward I believe we need a working group document that
> >> serves as a starting point for further work in the group*. We have two
> >> documents that provide similar functionality in an attempt to solve the
> >> Authorization Server Mix-Up problem.
> >>
> >> So, here is the question for the group. Which document do you want as a
> >> starting point for work on this topic:
> >>
> >> -- Option A: 'OAuth 2.0 Mix-Up Mitigation' by Mike Jones and John
> Bradley
> >>
> >> Link:
> >>
> >> https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
> >>
> >> -- Option B: 'OAuth Response Metadata' by Nat Sakimura, Nov Matake and
> >> Sascha Preibisch
> >>
> >> Link:
> >>
> >> https://tools.ietf.org/html/draft-sakimura-oauth-meta-07
> >>
> >> Deadline for feedback is March, 4th.
> >>
> >> Ciao
> >>
> >> Hannes & Derek
> >>
> >> PS: (*) Regardless of the selected solution we will provide proper
> >> acknowledgement for those who contributed to the work.
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
> > --
> > Hans Zandbelt              | Sr. Technical Architect
> > hzandbelt@pingidentity.com | Ping Identity
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>