Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)
Eran Hammer-Lahav <eran@hueniverse.com> Thu, 18 August 2011 17:01 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1140721F8B46 for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 10:01:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Level:
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eBwULQPGEZWS for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 10:01:31 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 9F4F421F8B62 for <oauth@ietf.org>; Thu, 18 Aug 2011 10:01:31 -0700 (PDT)
Received: (qmail 7042 invoked from network); 18 Aug 2011 17:02:25 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 18 Aug 2011 17:02:25 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Thu, 18 Aug 2011 10:02:21 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Thu, 18 Aug 2011 10:01:04 -0700
Thread-Topic: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)
Thread-Index: AcxZAD9oCYx+xdzVQuy705Z1zNxKpgEaydKwABcr5dA=
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72345029DFAA42@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <b7df18688b7612cb85418ed587b80044@lodderstedt-online.de> <90C41DD21FB7C64BB94121FBBC2E72345029DFA960@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345029DFA960@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2011 17:01:33 -0000
I'd like to ask the chairs to open an issue for this. I didn't realize how hyper sensitive this working group has become that every proposal being questioned needs a ticket to prove to people that they are not being dismissed. But since this is clearly the case, let's be pedantic and open an issue. EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Wednesday, August 17, 2011 10:58 PM > To: Torsten Lodderstedt; oauth@ietf.org > Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner > Impersonation) > > I've read the thread leading to this, and the proposed text and I do not > understand the attack. Can you provide a step-by-step scenario of how an > attacker gains access? > > Also, it is unlikely that any major provider is going to require CAPCHA as part > of the authorization flow. This is especially true in the case of using OAuth for > login which has to be practically transparent (one click). I would hate to > recommend a solution that no one is going to take seriously. > > I'm keeping this proposed text out until we resolve this questions. > > EHL > > > > -----Original Message----- > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > > Of Torsten Lodderstedt > > Sent: Friday, August 12, 2011 7:56 AM > > To: oauth@ietf.org > > Subject: [OAUTH-WG] Draft 20 last call comment (Resource Owner > > Impersonation) > > > > Hi all, > > > > I think the impersonation issue as raised by Niv on the list should be > > covered by the core spec. It directly aims at the trustworthiness of > > the user consent, which in my opinion is one of the core principles of > > OAuth. I therefore suggest to add a description to section 10. > > > > Please find below the text Niv and I prepared. In comparison to Niv's > > original proposal, it covers resource owner impersonation for all client > categories. > > > > regards, > > Torsten. > > > > proposed text: > > > > 10.<to be determined> Resource Owner Impersonation > > > > When a client requests access to protected resources, the > > authorization flow normally involves the resource owner's explicit > > response to the access request, either granting or denying access to the > protected resources. > > > > A malicious client can exploit knowledge of the structure of this flow > > in order to gain authorization without the resource owner's consent, > > by transmitting the necessary requests programmatically, and > > simulating the flow against the authorization server. An suthorization > > server will be vulnerable to this threat, if it uses non-interactive > > authentication mechanisms or split the authorization flow across multiple > pages. > > > > It is RECOMMENDED that the authorization server takes measures to > > ensure that the authorization flow cannot be simulated. > > Attacks performed by scripts running within a trusted user-agent can > > be detected by verifying the source of the request using HTTP referrer > headers. > > In order to prevent such an attack, the authorization server may force > > a user interaction based on non-predictable input values as part of > > the user consent approval. > > > > The authorization server could combine password authentication and > > user consent in a single form, make use of CAPTCHAs or one-time secrets. > > > > Alternatively, the authorization server could notify the resource > > owner of any approval by appropriate means, e.g. text message or e-Mail. > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Draft 20 last call comment (Resource O… Torsten Lodderstedt
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Barry Leiba
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Lodderstedt, Torsten
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Niv Steingarten
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Igor Faynberg
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Niv Steingarten
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Barry Leiba
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Barry Leiba
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Niv Steingarten
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Niv Steingarten
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… William J. Mills
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Niv Steingarten
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Niv Steingarten
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… William J. Mills
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Niv Steingarten
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… William J. Mills
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Torsten Lodderstedt
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Torsten Lodderstedt
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Torsten Lodderstedt
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Torsten Lodderstedt
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comment (Resour… Torsten Lodderstedt