IETF Logo Mail Archive

Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"

Phil Hunt <phil.hunt@oracle.com> Fri, 18 March 2016 23:28 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A49012D829 for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 16:28:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5viNX7RkuBL for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 16:28:40 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF60E12D55D for <oauth@ietf.org>; Fri, 18 Mar 2016 16:28:40 -0700 (PDT)
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u2INSd3R005757 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 18 Mar 2016 23:28:39 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0022.oracle.com (8.13.8/8.13.8) with ESMTP id u2INScCc007427 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 18 Mar 2016 23:28:38 GMT
Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id u2INSUBI024575; Fri, 18 Mar 2016 23:28:36 GMT
Received: from [10.0.1.20] (/24.86.216.17) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 18 Mar 2016 16:28:25 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_D36F0C86-46E8-4A69-BA5C-9C552C1FAA29"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <EBC38367-126E-497C-9878-0F5E7DC4D7C6@ve7jtb.com>
Date: Fri, 18 Mar 2016 16:28:23 -0700
Message-Id: <BBC1AC42-E6B7-4250-9443-4FD07CBC136B@oracle.com>
References: <56EAEB54.8010208@aol.com> <CA+k3eCQ-C+MuAV__JnPMJqeKWMn=Qe2yGB06qzpet=xx1xGZ0g@mail.gmail.com> <B05D6061-BB5A-4593-B77A-9FF84AFE16F6@oracle.com> <EBC38367-126E-497C-9878-0F5E7DC4D7C6@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.3112)
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Ouh1Xvb9hw4uXfsm-Rz9xpHe2J4>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 23:28:43 -0000

John

You are trying to solve a completely different problem.

In the bad discovery scenario there is no good AS and bad AS.

1.  There is only one AS and one RS infrastrucutre

2.  The client is mis-configured because it has been given a bad endpoint for one of dyn-reg, token, or resource

The client has no way to know what constitutes a valid set of endpoints.

The AS is acting in good faith in all respects.  It become promiscuous because it is turning over grants and/or tokens over to clients that are sending them to a bad endpoint.

Phil

@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>





> On Mar 18, 2016, at 4:16 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> 
> You still have a good AS and a bad AS it is just that the bad AS is using the good AS’s authorization endpoint.
> 
> I guess it comes down to how you define what a AS is if it is malicious.
> 
> Remember all of the attacks postulated in the papers require a xsrf attack or man in the network to cause a client to start a authorization with the bad AS triggering bad discovery and registration.
> 
> If the bad AS is publishing a malicious RS and the “good” registration, authorization, and token endpoints.   It will have a different issuer from the 
> good AS authorization endpoint.   When the client performs authorization thinking it is going to bad AS and gets back the issuer for good AS that will trigger an error in the client and it will never present the AT to the bad RS’s resource endpoint.
> 
> If the developer hard codes some bad RS endpoint in the client then, I admit returning the iss and client_id from the authorization endpoint won’t help.
> 
> John B.
> 
> 
>> On Mar 18, 2016, at 7:27 PM, Phil Hunt (IDM) <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>> 
>> There are two variations. 
>> 
>> Mitm the token endpoint is different then working one legit token endpoint against another thru redirect and state misdirection. 
>> 
>> In the mitm version you don't need multiple AS's.
>> 
>> Phil
>> 
>> On Mar 18, 2016, at 15:04, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>> 
>>> The "a. wrong AS /token endpoint" is the mix-up issue, which can be mitigated by returning an identifier for the AS in the authorization response. It is something that needs to be addressed but "discovery" or metadata aren't needed and audience restricted access tokens tokens don't help.
>>> 
>>> Maybe that's obvious but there seems to be a lot of confusion on all this so I wanted to reiterate it.
>>> 
>>> On Thu, Mar 17, 2016 at 11:37 AM, George Fletcher <gffletch@aol.com <mailto:gffletch@aol.com>> wrote:
>>> Goals:
>>> 
>>> 1. Help the client not send a token to the "wrong" endpoint
>>>    a. wrong AS /token endpoint
>>>    b. evil RS endpoint(s)
>>> 2. Allow good RS to determine if the token being validated was intended for that RS
>>> 
>>> Other high-level goals?
>>> 
>>> Use cases:
>>> 
>>> 1. RS that supports multiple AS (we've had this in production since 2011)
>>> 2. RS rejects token not issued for use at the RS
>>> 3. Client that dynamically supports new RS (say any client that supports the jabber API)
>>> 4. Client that dynamically supports new AS
>>> 
>>> Feel free to add to the list :)
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email