[OAUTH-WG] New draft: Mix-up prevention - adding "iss" parameter to the authorization response
Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Mon, 26 October 2020 14:33 UTC
Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98F353A0937 for <oauth@ietfa.amsl.com>; Mon, 26 Oct 2020 07:33:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hackmanit-de.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kb-1uFLdcpZc for <oauth@ietfa.amsl.com>; Mon, 26 Oct 2020 07:33:38 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F4AB3A0925 for <oauth@ietf.org>; Mon, 26 Oct 2020 07:33:37 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id s15so9330976ejf.8 for <oauth@ietf.org>; Mon, 26 Oct 2020 07:33:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit-de.20150623.gappssmtp.com; s=20150623; h=from:subject:autocrypt:to:cc:message-id:date:user-agent :mime-version:content-language; bh=6vkFkNEEF8vioUH5WwKiSSOwDSBhkEhpMK3rFRtYiLQ=; b=LY2JCMvXHL+DuM0ggwhy0AXts2SX2GtWsq4J9v+Hp7sMgIKe0NB4SD0zPh00A1mk6i Fj1uJvUTj8oN6Jz6FZ+8XoCx6wFJIKumCElsilONFy58dP5gpgrz2HZkrra0IeCX6MaC cOKHaIWL2YaA4TU3EBhpeLBcdZ0HlPKElYUh51sOiaAu6cfrMgDY290Nc/e384zA7JPJ O+BUxs2AiQfwD1yB7mB0k5Us0QqrXAz7R8V0VbrVuUYb3ttCjoM9b3hFWdLfYCQUeMZy qHB06Z6m55NEW4Dg4EIjH492abYTYlHYqF/ffuGAHIgBbKeKlmVBKUKzrvXhf4wEU3Lj dkzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:autocrypt:to:cc:message-id:date :user-agent:mime-version:content-language; bh=6vkFkNEEF8vioUH5WwKiSSOwDSBhkEhpMK3rFRtYiLQ=; b=WKG8kYL14RAAIaPMqh3Rc4ors2KWXpCqsPGC3O6SS/Z8jRE2mBQeDsTi5JT/MIg0PI 8UGNUWE0t/5XoISc+N6+BXktq/fZoKs4HLsdZ1bbZdwNiD688Zh5avaXul9v8nG7ZaT/ stdemaTb8VlZiV0Lx1Q/8sPzYmtRBLX9H8PaM456x7Urbg4GVrEBaS69K8B/rrI7ASnF pwcvH4IFCLcn4yGNY99M0W4Qsm8lfEfagCXUVy27kRrFRNs8nZ2iwBsAqBgfVDN/C6UC Xe/b2T2zSNwjUoFek8N/XVz8mQCHLiLsM0b/coFy4Lt3mYVXkJDKRCqxsKZJwcH5JZfY Xqrw==
X-Gm-Message-State: AOAM531tPBXhykgNTBfb8WI+C+HTAZskHValq0cGzkpp5Zmoox6BuFDX JvLqL7rQJr8HKU5MBOlr1rpzbA==
X-Google-Smtp-Source: ABdhPJw10JRcwoJOZBOzQzwScFctwOaLmLk5Au1LofDe9lwR0tjF5G5SmgzRQ1bW+MTPVBxbByxJVQ==
X-Received: by 2002:a17:906:d1c3:: with SMTP id bs3mr15113333ejb.246.1603722816298; Mon, 26 Oct 2020 07:33:36 -0700 (PDT)
Received: from [10.10.11.10] (b2b-37-24-87-133.unitymedia.biz. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id cw15sm5964442ejb.47.2020.10.26.07.33.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 Oct 2020 07:33:35 -0700 (PDT)
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Autocrypt: addr=karsten.meyerzuselhausen@hackmanit.de; keydata= mQINBFh1IBMBEADV73c10lB7zeFy6/ezLFzOBp8z6Zy1zUyIrf6RoBk1GQWREcGEGeaL90Pj F5plZeASVJdsEYnYXdgcIPE0tlBq6al6OYoWtH/VbFPWEPLVhA3rL1iXVJveD3J40OzSYP8N G7bla3zQ2+TXOB3iDPPsHZUdHCLASkIIWQK6+fE1C2epAdPtnsLsb++1d080jfXXwgyUUh4y bimcy9Jg5oZ4QMwnSq3Y+x38PNb+nTgjDi1X/89/WsNd7Bdh4Zvw3CAuc/W58CFaDjb7liUD YRoAp6ysnjPKEUSnAnMpgaiXJc1gFoL+ahdKJ3D9XTn28NTjUrvOkVidsuKbyxnXP9I6BO6i 2jzjrH6TEAfIYMjZlYTyPZTt271SW5iAHYwvPZWlqQTBT2P/d4gHl0To5b4e+UXxjQgxqUyi QIcxh3Ris21Kx4lKQKDXYWiwNTZzx8AdqrcxCWfK+MRpFyk0B+4uDMm7Apm5ZWwDKN/JnVsJ yokkkrrHs/elRCUGtN9NyhJQf3VnE87862Pej8PVvQJr3uVnoNX2yieTvJZftIOBG1b9ta6Z BcYyn3un1rSn7lBPg+RSnPemposVorQpjGwT+Dhg13Bpv5q0JfSc//js/nB6A4iq5YssdtQ7 35QBWLLaF1oCxalvrQVDD4Sh06eAUQsga9xeE0yv7sxqdsozdwARAQABtEJLYXJzdGVuIE1l eWVyIHp1IFNlbGhhdXNlbiA8a2Fyc3Rlbi5tZXllcnp1c2VsaGF1c2VuQGhhY2ttYW5pdC5k ZT6JAj8EEwEIACkFAlh1IBMCGyMFCQlmAYAHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK CRBFNcDn2xbxSK7sEAC5hk0VQHo2+fMV3b4TgSt4qSPLz6EnWwoqcEzUGYHErQXy7tCENpqS rsZsFphpgvWo1tcQdpyQTFm0dry4ASJD78lEiYC/8Hedp0fIaJTGwxrSLpRxV/Wb+iqkbgz8 /Qydl3QyupSqznSHQMd0uhvzHLxoYvHAIKy52gCK0T9gmxcCIh7UEjDfm+kqHp+oU4sbNe+2 ZEtJLuCKW+amNyqnHXr7ehAIaYmTdKOEcUb2UM7Yzp9g4kSkg1GbPlAn6yjyAqJ96sobKFXX S3rkXksRTxkGKW278Nrs4UBO+OIu32kIXCM2m3fKaUK777jAQu1e8sdj2nL0sPWQvMikZRx6 0dy+wVuH8gGHZsd7rW201Sv5pAhSAK4l58GS3xSLId6smXCend9Vu+tcYA+Bb+45943LmoPA PrdIUeI+zC9pjGwm+x+jFiCxbChqAiJF7RyYv9crziEYnTQ70gHGNOTOTIS5t0ufc9D4wD4O IkkrPQYg3KcAqP2Kyj1uHcqdk7XEhV1fdTXdeEt1e7auWPh0d3Fo+BTtiGXfNMuORArE0El6 ky8eUOqZEJ8rYpEGDLt0JFkJM5AhX4PrQWekjaMhQ5yl/+M+Ss0V0JkImagSgWdvUn1+eAs0 zEuVxTc6ON69mIyMalQ5d4ofvPnKr3GNVmEiXAVDMGUZHoeabfgSBbkCDQRYdSATARAAsp2V mr3N7iNND8+M/OyA/OwcDQ6utZh+m4TnKsOVdiNLGpu2U3/2Qg3yrbjic2dWx1CsS6VH2/oO 1e/a4FlxA93wFv/OZjiUjHtEvdIJeHWlCvWOUlMsqyGDc3Q75fNjFw6DGKkiOu9lZaBs6naS BmkvAMGjV5bNKLyIL5j7Im1pCdZ2lCjD7eVwR3RQQKobTmu916htX8g1cB9yFmquu37X+ZBl A4GLJi63Kw0L2r8i8iO1NqDLOfT8IeNkOroEm3SDAuEApGAubKLSPBJ1khQ7kDhpdfzSYKUF tiIHpGWVOImDjqf4JIcF7OIdRPQfFPlwoPnsyBAS8znQJvmqbbMowgFZe3UMLAN78CETZHGM OLBPB873oWyZ07Ar4v/SL5/aD+FRj2VnYEcGwt0HMmMyaN6ed8Udj4OTNZ7ceZA1Tw8/lZuI KCamj0XfJIK6376RCGnqjsEfS65P1KWZXfWphCKWp2c7uWKtau1q8pgiVRoBSAmjvfXRrIvK LhhQyNOiCUDKrvEWpoeq9y5GTrY27ncLov8nSR/SUPOw5HwJmzdFjhOF9XAOtiND/QRH886O IohdlnUu668mwLCmL2ROe7XWcTkFQWLDg+5b0bC9dgfL+HHpWGUdQPG3CCyPG5LfDmnmuXkE eU1kSD27kFe1kM6pfqpCydJW66DuwoMAEQEAAYkCJQQYAQgADwUCWHUgEwIbDAUJCWYBgAAK CRBFNcDn2xbxSAAbEACeIsfrsq2tlyigZv+bwkiVP1oKtWfXN1e3K3lDOBqPJaPXWFOopq/1 9osk58PFtVEaDlYPlN/NP6Jq5nTTC8QyLG3swAdo4ZJXWEg1NTRu8ddYUvZWuRHWRghaq7qh eW5lVPqilCndSG7bkDPU/Vyd93nPKnKTKKs/Nd7ePneWA0JQohEg5gO/GU0v5SN3YfTxG1LV Cxu3HHHFodDLK4KITSYmt1+g0WCADeclwm5+L5lIvgKQvcIpjpMGNK1wj2E3exsLlgo/ZEyS AslOPXyQw2yfYLrcfGpvWa3e+AvU7eLVBgihskpibJg53yw31B0CXAJBbjg7AsxR8UE5pl6h 2gTjN2t++GvqefGtw/bPvx2RzFsorh1/RYaFgcaFyefghmpi55iiIhgEOiSIct0LoYl3cmH8 DGYKhSskpSDgfE41Esk/P2odeax9SmJuv4mnqkiGFPpTwCfUka2k0mCpBDpfTdECWUFhreGS qFbrvJDZRBiyaVyCjOvOc0v6Z0/iIRgHWTjITpqaQh69kqAtt9GQWV6i3THnpHFlIC2ecvdc YCagneZdoLEHCS8Nois/uDbp5qZwZcF5zKMI+T7u6Qf8EGdvxCB1fp0Sdlmeto0c6/gnFUix 4J/tozBwSXSg7JCxTrUdnJtcQAJzosOUZTVO/ZZR/n0+904kud6o3w==
To: oauth@ietf.org
Message-ID: <6604cde2-a936-7e66-034b-9282380205a6@hackmanit.de>
Date: Mon, 26 Oct 2020 15:33:33 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------CC0CA602BF376D1A7AFD4A00"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/U5PHuXAl4fTiQ0df2cLFtpURAvI>
Subject: [OAUTH-WG] New draft: Mix-up prevention - adding "iss" parameter to the authorization response
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 14:33:41 -0000
Hello WG, adding the issuer identifier to the authorization response as a countermeasure to mix-up attacks is well-known on this list and already part of the security BCP (see 4.4.2 <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-4.4.2>). However, the "iss" parameter is currently not properly specified. Daniel and I wrote an ID to solve this issue. We would like to ask the working group to give us feedback on our first draft version: https://tools.ietf.org/html/draft-meyerzuselhausen-oauth-iss-auth-resp-00 Abstract This document specifies a new parameter "iss" that is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth authorization grant. If implemented correctly, the "iss" parameter serves as an effective countermeasure to "mix-up" attacks. The need for a proper specification of the "iss" parameter was discussed in this thread: https://mailarchive.ietf.org/arch/msg/oauth/DQR2ZXtGKfa-8UGtuPYyZoAaBIc/ Best regards, Karsten -- Karsten Meyer zu Selhausen IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Does your OAuth or OpenID Connect implementation use PKCE to strengthen the security? Learn more about the procetion PKCE provides and its limitations in our new blog post: https://www.hackmanit.de/en/blog-en/123-when-pkce-cannot-protect-your-confidential-oauth-client Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
- [OAUTH-WG] New draft: Mix-up prevention - adding … Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] New draft: Mix-up prevention - add… Vladimir Dzhuvinov
- Re: [OAUTH-WG] New draft: Mix-up prevention - add… Brian Campbell
- Re: [OAUTH-WG] New draft: Mix-up prevention - add… Aaron Parecki