Re: [OAUTH-WG] Session cookies in OAuth2 flow
Antonio Sanso <asanso@adobe.com> Fri, 25 April 2014 07:01 UTC
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E42141A0412 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 00:01:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vja49iCOtNsm for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 00:01:49 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0209.outbound.protection.outlook.com [207.46.163.209]) by ietfa.amsl.com (Postfix) with ESMTP id 259D41A007F for <oauth@ietf.org>; Fri, 25 Apr 2014 00:01:48 -0700 (PDT)
Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB208.namprd02.prod.outlook.com (10.242.165.150) with Microsoft SMTP Server (TLS) id 15.0.921.12; Fri, 25 Apr 2014 07:01:40 +0000
Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.150]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.150]) with mapi id 15.00.0921.000; Fri, 25 Apr 2014 07:01:40 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Andrei Shakirin <ashakirin@talend.com>
Thread-Topic: [OAUTH-WG] Session cookies in OAuth2 flow
Thread-Index: Ac9f1m601wyijPx7QUKZAdgpumsSswAfcZMA
Date: Fri, 25 Apr 2014 07:01:40 +0000
Message-ID: <8CE5B8B4-5CFB-4E1C-B1EC-06D2F0217ED8@adobe.com>
References: <D225CD69196F3F4A9F4174B2FCA06F8811EC7E92@S10BE002.SH10.lan>
In-Reply-To: <D225CD69196F3F4A9F4174B2FCA06F8811EC7E92@S10BE002.SH10.lan>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.147.117.11]
x-forefront-prvs: 0192E812EC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(53474002)(51704005)(24454002)(377454003)(199002)(189002)(86362001)(99396002)(31966008)(74662001)(80022001)(83716003)(2656002)(80976001)(82746002)(19580405001)(4396001)(20776003)(81342001)(85852003)(79102001)(87936001)(76482001)(76176999)(77982001)(83072002)(50986999)(54356999)(46102001)(81542001)(92726001)(36756003)(74502001)(19580395003)(99286001)(83322001)(66066001)(15975445006)(555904002)(92566001)(33656001)(100906001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB208; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:D0D4F5B2.8E1B57D1.B1FBFFB7.CCEDA970.20230; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: adobe.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-ID: <B44D2302CCA430409DD905179ABC6A46@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Q5shPCLQFn-w4-iFFS4iOOHdSI4
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 07:01:52 -0000
hi Andrei, AFAIU session cookie management is beyond the scope of the OAuth2 specification. regards antonio On Apr 24, 2014, at 6:39 PM, Andrei Shakirin <ashakirin@talend.com> wrote: > Hi, > > My name is Andrei Shakirin, I am working with OAuth2 implementation in Apache CXF project. > Could you please help me to verify my understanding regarding of using session cookies in OAuth2 flow. > OAuth2 specification mentions session cookies in: > 1) Section 3.1. Authorization Endpoint as possible way to authenticate resource owner against authorization server > 2) Section 10.12. Cross-Site Request Forgery as possible attack where end-user follows a malicious URI to a trusting server including a valid session cookie > > My current understanding is: > a) using sessions between user-agent and authorization server is optional and authorization server is not obligated to keep user state (in case if user-agent provide authentication information with every request). > b) in case if sessions are used (because of any reasons), authorization server have to care about additional protection like hidden form fields in order to uniquely identify the actual authorization request. > > Is this correct? > > Regards, > Andrei. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Session cookies in OAuth2 flow Andrei Shakirin
- Re: [OAUTH-WG] Session cookies in OAuth2 flow Antonio Sanso
- Re: [OAUTH-WG] Session cookies in OAuth2 flow Andrei Shakirin
- Re: [OAUTH-WG] Session cookies in OAuth2 flow John Bradley
- Re: [OAUTH-WG] Session cookies in OAuth2 flow Andrei Shakirin
- Re: [OAUTH-WG] Session cookies in OAuth2 flow John Bradley
- Re: [OAUTH-WG] Session cookies in OAuth2 flow Andrei Shakirin