IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

Brian Campbell <bcampbell@pingidentity.com> Tue, 20 March 2018 19:39 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2E8C1289B0 for <oauth@ietfa.amsl.com>; Tue, 20 Mar 2018 12:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6xgHkqFqrLvc for <oauth@ietfa.amsl.com>; Tue, 20 Mar 2018 12:39:09 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F38D41241F5 for <oauth@ietf.org>; Tue, 20 Mar 2018 12:39:08 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id v194-v6so3887946itb.0 for <oauth@ietf.org>; Tue, 20 Mar 2018 12:39:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=D/QuaGapR9R3txcfU3Dz6KmG3/Bm/kTApUU9+qWRfi8=; b=Z/kqWkK1q0w4xzbq+JSYLLjVXSgDrDzyyGJZ/B3jTAxPpuEsLxKcqti7uc+OFQWq/J 7NSFijWZ/QIxTb0fwYOytBbLlehW3nRYoCa/UoA1ukORbkYoH5IdEdRZKLBMUF5ZXC8d uiY/XIZ0mDUwHqotDCWDmHV2q9uBhJwtmNvsY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=D/QuaGapR9R3txcfU3Dz6KmG3/Bm/kTApUU9+qWRfi8=; b=qaKJdVlUDoxhw00TkymCLvXMmnwj2Qv4iqXREv6P1jg3cJWjOoqIu+uB1GgrOINISF 6vxBtomJhAFqSwJJm+8p3CA1gBvqwI0aPf0PNRzn8y1vWBBv84LcGeHGoypgpCJlxc/X NmJMa89Cwo0nEnqq4lWRQgCDM1boPq8Fr4xk+OYuhJTNKjqehYyLlSrMh0i/vWH1R4YB M8tbL7MmM9I93gNq2wqKxZZh1KUuc8qM+cRBtXguZi8Hej1PXXPP+6clDUqI80fiaYFo 0t+YKt6ZG5ZVmFNbQvgYgi8mgXCdY9BrSYC0V5jRp46O/lqVYc34bF6V5NzrID+kLe5L SJGA==
X-Gm-Message-State: AElRT7EUXlQlR65oEcYOCcvwhdVih2sAJbRwp6IfyOieDc7brUEhnNGG 5jf6Q86sqvxdvTGpVr2ZH02eZNiFBEpVcS4jFPQ75cqWHJ1KsyFdcmOjK4xUX7vArXtUhXbwoOI 3LUJNYQIg815I/g==
X-Google-Smtp-Source: AG47ELuc+AH8WKOyO/WDOUQH28UP/A4ovCwNfXN15bOHoEdzAO6hNsgWhOuuNfLaBED73gr9hXUXYfmZ2YVjxIqmhTY=
X-Received: by 2002:a24:5491:: with SMTP id t139-v6mr971005ita.89.1521574748087; Tue, 20 Mar 2018 12:39:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.73.214 with HTTP; Tue, 20 Mar 2018 12:38:37 -0700 (PDT)
In-Reply-To: <57EDA9BC-1710-4968-B9D5-D6BBBC702046@lodderstedt.net>
References: <E126FCD2-55E0-4ADB-9A3F-6EEF3955EC2C@authlete.com> <CAEKOcs1Ky7XETQ4xk2XaBZnkjyF-M_OpJvSWK5pouYgq90c5Nw@mail.gmail.com> <CA+k3eCR+bvWRK8H+tmkSGbHob1i7ZgrQ96g3qEeaLaU=_LJYSQ@mail.gmail.com> <57EDA9BC-1710-4968-B9D5-D6BBBC702046@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 20 Mar 2018 19:38:37 +0000
Message-ID: <CA+k3eCSheQzav2CmXvuOL3mT_z_6WON4UWCXqg_rsxzHP+XsAA@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Travis Spencer <travis.spencer@curity.io>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005c05620567dd3a37"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/R7va-Tkw9EQBjgB03scyydRm4S0>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 19:39:13 -0000

The strict redirect_uri matching, referrer-policy headers, and appending a
dummy fragment on error redirects are things that protect from token
leakage/interception resulting from redirection on error, which is the
threat in section 2.2 of -closing-redirectors-00
<https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.2>.
It's true that they don't protect against the kind of open redirection
based on malicious client registration that's described in section 2.1
<https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.1>.
But I don't believe that abuse (as that document calls it) is serious
enough to warrant trying to introduce a breaking change to the original
behavior of RFC 6749 <https://tools.ietf.org/html/rfc6749#section-4.1.2.1>
in this security topics document.






On Tue, Mar 20, 2018 at 4:44 PM, Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

> Hi Brian,
>
> Am 20.03.2018 um 15:37 schrieb Brian Campbell <bcampbell@pingidentity.com
> >:
>
> +1 to what Travis said about 3.8.1
>
> The text in 3.8 about Open Redirection is new in this most recent -05
> version of the draft so this is really the first time it's been reviewed. I
> believe 3.8..1 goes too far in saying "this draft recommends that every
> invalid authorization request MUST NOT automatically redirect the user
> agent to the client's redirect URI."
>
> I understand that text was informed by https://tools.ietf.org/html/dr
> aft-ietf-oauth-closing-redirectors-00 but it takes one of the potential
> mitigation discussed there in section 3
> <https://tools.ietf.org/html/draft-ietf-oauth-closing-redirectors-00#section-2.3>
> (the one which happens to contradict RFC 6749) and elevates it to a "MUST".
> I don't think something that drastic is warranted. I think there are other
> mitigations - like strict redirect_uri matching,
>
>
> In the attack described in https://tools.ietf.org/
> html/draft-ietf-oauth-closing-redirectors-00 section 2.1. the attacker
> dynamically registers a client with the AS. So exact redirect URI matching
> won’t stop the open redirection attack since the attacker uses the correct
> URI. The problem is with the change in the underlying trust model. RFC 6749
> assumes every configured client to be legit. This might have been ok at the
> time RFC 6749 was published. Open dynamic client registration collides with
> this assumption.
>
> We could distinguish between cases where the AS is confident the client is
> legit and other cases. But how does the AS determine it?
>
> referrer-policy headers, and appending a dummy fragment on error redirects
> -
>
>
> Can you please explain how this protects from open redirection?
>
> that can protect against the more serious redirection issues without
> -security-topics trying to introduce normative breaking changes to the
> behavior from the original OAuth 2.0 Authorization Framework.
>
>
>
> Perhaps there are some error cases not mentioned in RFC 6749 where
> returning an HTTP error code to the browser would be better or more
> appropriate than redirecting back to the OAuth client (my opinion on this
> has gone in circles and I'm honestly not sure anymore). But saying that
> authorization requests never automatically redirect back to the client's
> redirect URI is excessive.
>
>
> Probably. Let’s discuss in detail.
>
> I think the AS should not automatically redirect the user in case of the
> following error conditions because an attacker could cause this errors via
> request parameters or its configuration:
> - unsupported_response_type
> - invalid_scope
> - unauthorized_client
> - invalid_request
>
> kind regards,
> Torsten.
>
>
>
> On Tue, Mar 20, 2018 at 11:48 AM, Travis Spencer <travis.spencer@curity.io
> > wrote:
>
>> I read through this doc and would like to share a bit of feedback in
>> hopes that it helps:
>>
>> * There is no mention of Content Security Policy (CSP). This is a very
>> helpful security mechanism that all OAuth servers and web-based
>> clients should implement. I think this needs to be addressed in this
>> doc.
>>     - No mention of frame breaking scripts for non-CSP aware user agents
>>     -  No mention of X-Frame-Options
>> * There's no mention of HSTS which all OAuth servers and web-based
>> client should implement (or the reverse proxies in front of them
>> should)
>> * The examples only use 302 and don't mention that 303 is safer[1]
>>    - Despite what it says in section 1.7 of RFC 6749, many people
>> think that a 302 is mandated by OAuth. It would be good to recommend a
>> 303 and use examples with other status codes.
>> * 3.3.1 refers to client.com in the example. This is a real domain.
>> Suggest client.example.com instead. Same issue in 3.1.2 where
>> client.evil.com is used
>> * 3.1.3 (proposed countermeasures) - native clients that use a web
>> server with a dynamic port should use dynamic client registration and
>> dynamic client management rather than allowing wildcards on the port
>> matching of the OAuth server.
>> * 3.8.1 says "Therefore this draft recommends that every invalid
>> authorization request MUST NOT automatically redirect the user agent
>> to the client's redirect URI" -- This is gonna break a lot of stuff
>> including other specs! I don't think that's warranted, and I am not
>> looking forward to the fallout this could cause.
>>
>> Anyway, my $0.02. Hope it helps.
>>
>> [1] https://arxiv.org/pdf/1601.01229v2.pdf
>>
>> On Mon, Mar 19, 2018 at 11:16 PM, Joseph Heenan <joseph@authlete.com>
>> wrote:
>> > Hi Torsten,
>> >
>> > As we briefly spoke about earlier, "3.8.1. Authorization Server as Open
>> > Redirector" could I think be made more explicit.
>> >
>> > Currently it explicitly mentions the invalid_request and invalid_scope
>> > errors must not redirect back to the client's registered redirect uri.
>> >
>> > https://tools.ietf.org/html/rfc6749#section-4.1.2.1 defines several
>> more
>> > potential errors that appear to fall into the same category. I
>> understand to
>> > block the attack fully we need 'must not redirect's for all the kinds of
>> > error that could cause an automatic redirect back to the client's
>> registered
>> > redirect uri without any user interaction - 'unauthorized_client' and
>> > 'unsupported_response_type' seem to fall into that category.
>> 'server_error'
>> > also seems dodgy (I would wager that on some servers that are known
>> ways to
>> > provoke server errors), and I would have doubts about
>> > 'temporarily_unavailable' too.
>> >
>> > Thanks
>> >
>> > Joseph
>> >
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>> >
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*

v2.23.0 | Report a Bug | By Email