Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)

Eran Hammer-Lahav <eran@hueniverse.com> Thu, 18 August 2011 17:01 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1140721F8B46 for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 10:01:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Level:
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eBwULQPGEZWS for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 10:01:31 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 9F4F421F8B62 for <oauth@ietf.org>; Thu, 18 Aug 2011 10:01:31 -0700 (PDT)
Received: (qmail 7042 invoked from network); 18 Aug 2011 17:02:25 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 18 Aug 2011 17:02:25 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Thu, 18 Aug 2011 10:02:21 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Thu, 18 Aug 2011 10:01:04 -0700
Thread-Topic: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)
Thread-Index: AcxZAD9oCYx+xdzVQuy705Z1zNxKpgEaydKwABcr5dA=
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72345029DFAA42@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <b7df18688b7612cb85418ed587b80044@lodderstedt-online.de> <90C41DD21FB7C64BB94121FBBC2E72345029DFA960@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345029DFA960@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2011 17:01:33 -0000

I'd like to ask the chairs to open an issue for this.

I didn't realize how hyper sensitive this working group has become that every proposal being questioned needs a ticket to prove to people that they are not being dismissed. But since this is clearly the case, let's be pedantic and open an issue.

EHL

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Eran Hammer-Lahav
> Sent: Wednesday, August 17, 2011 10:58 PM
> To: Torsten Lodderstedt; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation)
> 
> I've read the thread leading to this, and the proposed text and I do not
> understand the attack. Can you provide a step-by-step scenario of how an
> attacker gains access?
> 
> Also, it is unlikely that any major provider is going to require CAPCHA as part
> of the authorization flow. This is especially true in the case of using OAuth for
> login which has to be practically transparent (one click). I would hate to
> recommend a solution that no one is going to take seriously.
> 
> I'm keeping this proposed text out until we resolve this questions.
> 
> EHL
> 
> 
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> > Of Torsten Lodderstedt
> > Sent: Friday, August 12, 2011 7:56 AM
> > To: oauth@ietf.org
> > Subject: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> > Impersonation)
> >
> > Hi all,
> >
> > I think the impersonation issue as raised by Niv on the list should be
> > covered by the core spec. It directly aims at the trustworthiness of
> > the user consent, which in my opinion is one of the core principles of
> > OAuth. I therefore suggest to add a description to section 10.
> >
> > Please find below the text Niv and I prepared. In comparison to  Niv's
> > original proposal, it covers resource owner impersonation for all client
> categories.
> >
> > regards,
> > Torsten.
> >
> > proposed text:
> >
> > 10.<to be determined> Resource Owner Impersonation
> >
> > When a client requests access to protected resources, the
> > authorization flow normally involves the resource owner's explicit
> > response to the access request, either granting or denying access to the
> protected resources.
> >
> > A malicious client can exploit knowledge of the structure of this flow
> > in order to gain authorization without the resource owner's consent,
> > by transmitting the necessary requests programmatically, and
> > simulating the flow against the authorization server. An suthorization
> > server will be vulnerable to this threat, if it uses non-interactive
> > authentication mechanisms or split the authorization flow across multiple
> pages.
> >
> > It is RECOMMENDED that the authorization server takes measures to
> > ensure that the authorization flow cannot be simulated.
> > Attacks performed by scripts running within a trusted user-agent can
> > be detected by verifying the source of the request using HTTP referrer
> headers.
> > In order to prevent such an attack, the authorization server may force
> > a user interaction based on non-predictable input values as part of
> > the user consent approval.
> >
> > The authorization server could combine password authentication and
> > user consent in a single form, make use of CAPTCHAs or one-time secrets.
> >
> > Alternatively, the authorization server could notify the resource
> > owner of any approval by appropriate means, e.g. text message or e-Mail.
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth