IETF Logo Mail Archive

Re: [OAUTH-WG] Security Considerations - Access Tokens

Dan Taflin <dan.taflin@gettyimages.com> Mon, 31 October 2011 15:54 UTC

Return-Path: <dan.taflin@gettyimages.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9E2221F8DD9 for <oauth@ietfa.amsl.com>; Mon, 31 Oct 2011 08:54:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.098
X-Spam-Level:
X-Spam-Status: No, score=-5.098 tagged_above=-999 required=5 tests=[AWL=-1.500, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JApolcRojLUG for <oauth@ietfa.amsl.com>; Mon, 31 Oct 2011 08:54:57 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe004.messaging.microsoft.com [216.32.181.184]) by ietfa.amsl.com (Postfix) with ESMTP id CE4CF21F8C1E for <oauth@ietf.org>; Mon, 31 Oct 2011 08:54:56 -0700 (PDT)
Received: from mail146-ch1-R.bigfish.com (10.43.68.250) by CH1EHSOBE009.bigfish.com (10.43.70.59) with Microsoft SMTP Server id 14.1.225.22; Mon, 31 Oct 2011 15:54:43 +0000
Received: from mail146-ch1 (localhost.localdomain [127.0.0.1]) by mail146-ch1-R.bigfish.com (Postfix) with ESMTP id B574ACF82ED; Mon, 31 Oct 2011 15:54:49 +0000 (UTC)
X-SpamScore: -30
X-BigFish: VPS-30(zz9371Kc85fh14ffOzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h)
X-Forefront-Antispam-Report: CIP:216.169.250.56; KIP:(null); UIP:(null); IPVD:NLI; H:SEAPXCH10CAHT01.amer.gettywan.com; RD:sydney.webmail.gettyimages.com; EFVD:NLI
X-FB-SS: 13,
Received-SPF: pass (mail146-ch1: domain of gettyimages.com designates 216.169.250.56 as permitted sender) client-ip=216.169.250.56; envelope-from=dan.taflin@gettyimages.com; helo=SEAPXCH10CAHT01.amer.gettywan.com ; gettywan.com ;
Received: from mail146-ch1 (localhost.localdomain [127.0.0.1]) by mail146-ch1 (MessageSwitch) id 1320076483247840_22212; Mon, 31 Oct 2011 15:54:43 +0000 (UTC)
Received: from CH1EHSMHS030.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.246]) by mail146-ch1.bigfish.com (Postfix) with ESMTP id EF8CF7800F8; Mon, 31 Oct 2011 15:54:20 +0000 (UTC)
Received: from SEAPXCH10CAHT01.amer.gettywan.com (216.169.250.56) by CH1EHSMHS030.bigfish.com (10.43.70.30) with Microsoft SMTP Server (TLS) id 14.1.225.22; Mon, 31 Oct 2011 15:54:26 +0000
Received: from SEAPXCH10MBX01.amer.gettywan.com ([fe80::f054:280d:92db:5fff]) by SEAPXCH10CAHT01.amer.gettywan.com ([::1]) with mapi id 14.01.0289.001; Mon, 31 Oct 2011 08:54:25 -0700
From: Dan Taflin <dan.taflin@gettyimages.com>
To: Marco De Nadai <denadai2@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Security Considerations - Access Tokens
Thread-Index: AQHMlzY47OgT7xymYEekybovuyZZipWWmLNw
Date: Mon, 31 Oct 2011 15:54:24 +0000
Message-ID: <429493818451304B84EC9A0797B5D858250823@SEAPXCH10MBX01.amer.gettywan.com>
References: <CAHWszSa89mm1GR0Wz26kFqvNQ3U7qjmXqawkkG5KXmb8stAErg@mail.gmail.com>
In-Reply-To: <CAHWszSa89mm1GR0Wz26kFqvNQ3U7qjmXqawkkG5KXmb8stAErg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.194.102.80]
Content-Type: multipart/alternative; boundary="_000_429493818451304B84EC9A0797B5D858250823SEAPXCH10MBX01ame_"
MIME-Version: 1.0
X-OriginatorOrg: gettyimages.com
Subject: Re: [OAUTH-WG] Security Considerations - Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2011 15:54:59 -0000

To be consistent, section 10.3 should probably specify that the requirement of confidentiality in transit applies specifically to BEARER tokens.

I would like to see this relaxed further though, as I argued last week, to accommodate situations where a token is scoped to a limited set of data that isn't particularly sensitive. My example was image search. It seems too restrictive to require TLS for an operation that does nothing more than what anyone could do by pointing a browser at our web site. Http cookies can be specified as either requiring or not requiring secure transport; it seems reasonable to allow the same option for bearer tokens, which fulfill an analogous role.

Dan

From: Marco De Nadai [mailto:denadai2@gmail.com]
Sent: Sunday, October 30, 2011 9:44 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Security Considerations - Access Tokens

Hi all,

i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there is this statment:

Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued.

BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access Authentication, I can request a resource with Access Token sent in clear. This invalidates the "Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage".

Is it my error?

--
Marco De Nadai
http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>

v2.23.0 | Report a Bug | By Email