IETF Logo Mail Archive

Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"

John Bradley <ve7jtb@ve7jtb.com> Fri, 18 March 2016 23:29 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A793B12D50B for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 16:29:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ik-VVCqfWoUL for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 16:29:33 -0700 (PDT)
Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA36012D557 for <oauth@ietf.org>; Fri, 18 Mar 2016 16:29:33 -0700 (PDT)
Received: by mail-qg0-x232.google.com with SMTP id a36so81722781qge.0 for <oauth@ietf.org>; Fri, 18 Mar 2016 16:29:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=r5KYVolT+aX0KNibOqBZm2fBnm3qrpklHlPhbUE94rQ=; b=Iexa+S6z0J/FqqMUp8eOVHfRikSanJv3o2ZO63lIEo+5PpfZSSB9ZcuKxFFByeufNO 4f6Vpo600Avye3EFdzBXDIAM1FBB4TNbfs/O9GzwJRgPSmKbF8nOzHm+sO7jK+e3lRuH Vnco/fdq/E+qPvOgOx/QO3+gZw1APgID4AyCT1DEbiSexRjjv8EEXCou5sQDoiGPWpfO sxp1m/BkvmEnzR6AQ0QcFS+w8kdEYijDPd018NdmwIIAfPzT8V+gy0n8XalCxJvBBMFq TYznd1x+bmy14EltOg3bxLTjcmtSE7pbV1/ZA33yPtv7Q0tLnr8Yy3cf39KDSNv/ubLQ U8Nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=r5KYVolT+aX0KNibOqBZm2fBnm3qrpklHlPhbUE94rQ=; b=D0S18srL35L1G6GNGEt1JUpSiNXEpE4/Y6vkhCuk4ae1YKjsKGpprFt2cOb4rOt/f+ ybDfPgtTXa5OKboGgxDze50qysIYZo6xvYvlToZBAQEBBQiRmPYtu0+D5vHq8pZZsVT+ nGbVEUdNs+rdh6sEexgmiFLpI8zh8aSfM/xdBkgd45SJj8ksVr36AXPVQvce0IkrDpMW /lBb3du2c8ipPqIeT1egUy3eKW7WZZVS6UGsWg/fhuFa/zOZhIT4C74TGWfasdCMDLtE VwPj+A8C2ywNLYjaISYHqFPRhHgC+ijZwdMhKhEpCR57fUbZQbFc6Koy66WWjwHskcP+ fP4Q==
X-Gm-Message-State: AD7BkJKzSB0v8m85sZlvRMo3gvpOgv5yynUgRk/oqT2HQ/oZ1qpyW5j28hMByOxJColKvg==
X-Received: by 10.140.159.69 with SMTP id f66mr27609776qhf.18.1458343772696; Fri, 18 Mar 2016 16:29:32 -0700 (PDT)
Received: from [192.168.8.101] ([181.202.83.141]) by smtp.gmail.com with ESMTPSA id 49sm7021821qgx.32.2016.03.18.16.29.30 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 18 Mar 2016 16:29:31 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_8085E5B8-9FC8-4234-A1B0-4CF10B170C58"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <6C87CFDA-FD24-4C85-8876-D60BE5EFB5F8@oracle.com>
Date: Fri, 18 Mar 2016 20:29:27 -0300
Message-Id: <F104EA70-9D94-472C-849F-65EB8D56E696@ve7jtb.com>
References: <56EAEB54.8010208@aol.com> <CA+k3eCQ-C+MuAV__JnPMJqeKWMn=Qe2yGB06qzpet=xx1xGZ0g@mail.gmail.com> <B05D6061-BB5A-4593-B77A-9FF84AFE16F6@oracle.com> <CA+k3eCR+NDPqrnjGEZbKiuN-FZX730ubnUruk3=YyG6amN=6Vg@mail.gmail.com> <20024B1B-7EC0-4354-A173-94F9F58AE1A3@oracle.com> <DA183442-992A-4166-843D-32EFA58D9C11@ve7jtb.com> <6C87CFDA-FD24-4C85-8876-D60BE5EFB5F8@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/TAhSyvHJ-klm8UZFYGNPCqIBUdY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 23:29:36 -0000

The mitigation prevents the client from sending the code to a token endpoint that is not associated with the AS returning the code.

I think you need to describe a MiTM attack on the token endpoint that the proposed mitigation that was reviewed by the researchers doesn’t mitigate.

You seem to have defined some new attacks as not being the confused client attacks that you are trying to mitigate.

Perhaps not understanding the attack is causing some of us to not understand the value of the mitigation you propose.

John B.


 
> On Mar 18, 2016, at 8:19 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
> 
> John,
> 
> I haven’t changed my mind. But I now think we’ve come away with a different understanding of the threats.
> 
> I recall that we agreed that “iss” and “client_id” are for mitigating mix-up, by allowing a client to figure out what token endpoint a grant is for.  There is nothing that helps a client to determine that the token endpoint it is about to use is valid.  IOW. The client could have the correct “iss” and “client_id” from the AS authorization endpoint, but it thinks it is supposed to pass the grant to token.evil.com <http://token.evil.com/> instead of token.example.com <http://token.example.com/> to redeem it.
> 
> Phil
> 
> @independentid
> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> 
> 
> 
> 
> 
>> On Mar 18, 2016, at 4:01 PM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>> 
>> The Mitigation we agreed on for the bad token endpoint is returning the issuer and client_id form the authorization endpoint.
>> 
>> Phil are you saying that you no longer agree with that? 
>> 
>> The question that was unresolved was how the client would get a bad resource URI, and what the correct mitigation is if any.
>> 
>> John B.
>> 
>> 
>>> On Mar 18, 2016, at 7:52 PM, Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>>> 
>>> By convincing the client to use a bad URL.  That’s kinda why we’re worried about bad discovery no?
>>> 
>>> Depending on the type of client authentication, the client will establish a valid connection to the hacker’s proxy which then replays the token request to the real endpoint.  The hacker now has the token.
>>> 
>>> Same thing for the resource endpoint - except worse. The hacker doesn’t need the token as they now see the payload.
>>> 
>>> Phil
>>> 
>>> @independentid
>>> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Mar 18, 2016, at 3:38 PM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>>>> 
>>>> How does one Mitm the token endpoint?
>>>> 
>>>> On Fri, Mar 18, 2016 at 4:27 PM, Phil Hunt (IDM) <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>>>> There are two variations. 
>>>> 
>>>> Mitm the token endpoint is different then working one legit token endpoint against another thru redirect and state misdirection. 
>>>> 
>>>> In the mitm version you don't need multiple AS's.
>>>> 
>>>> Phil
>>>> 
>>>> On Mar 18, 2016, at 15:04, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>>>> 
>>>>> The "a. wrong AS /token endpoint" is the mix-up issue, which can be mitigated by returning an identifier for the AS in the authorization response. It is something that needs to be addressed but "discovery" or metadata aren't needed and audience restricted access tokens tokens don't help.
>>>>> 
>>>>> Maybe that's obvious but there seems to be a lot of confusion on all this so I wanted to reiterate it.
>>>>> 
>>>>> On Thu, Mar 17, 2016 at 11:37 AM, George Fletcher <gffletch@aol.com <mailto:gffletch@aol.com>> wrote:
>>>>> Goals:
>>>>> 
>>>>> 1. Help the client not send a token to the "wrong" endpoint
>>>>>    a. wrong AS /token endpoint
>>>>>    b. evil RS endpoint(s)
>>>>> 2. Allow good RS to determine if the token being validated was intended for that RS
>>>>> 
>>>>> Other high-level goals?
>>>>> 
>>>>> Use cases:
>>>>> 
>>>>> 1. RS that supports multiple AS (we've had this in production since 2011)
>>>>> 2. RS rejects token not issued for use at the RS
>>>>> 3. Client that dynamically supports new RS (say any client that supports the jabber API)
>>>>> 4. Client that dynamically supports new AS
>>>>> 
>>>>> Feel free to add to the list :)
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>

v2.23.0 | Report a Bug | By Email