IETF Logo Mail Archive

Re: [OAUTH-WG] User-Agent flow and refresh tokens

Kris Selden <kris.selden@gmail.com> Fri, 17 September 2010 23:28 UTC

Return-Path: <kris.selden@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B64833A698A for <oauth@core3.amsl.com>; Fri, 17 Sep 2010 16:28:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.516
X-Spam-Level:
X-Spam-Status: No, score=-1.516 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, URIBL_RHS_DOB=1.083]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o2JyUsBnWLlt for <oauth@core3.amsl.com>; Fri, 17 Sep 2010 16:28:36 -0700 (PDT)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by core3.amsl.com (Postfix) with ESMTP id 4D8313A6991 for <oauth@ietf.org>; Fri, 17 Sep 2010 16:28:36 -0700 (PDT)
Received: by pwi1 with SMTP id 1so1239992pwi.31 for <oauth@ietf.org>; Fri, 17 Sep 2010 16:29:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=uvRIbUXK+1sJf4i0Le9YXvLwvyCdnZdS7D6DZwFzz84=; b=PoRO2jsU/v0yXxVveBU+GiRQQaf/bz18ZVCRI8eRtq35LLu3zkrrrDgvTPqETqqLWC 5RloEFv6vqgz8RiQiNSI1BzfLNXB5QMXm7Bu2CvfH7WvQdfkaXEJguDJD8aDtGh0bZip ePsdsM8ZMzFiW8UEWd5ExwhveuSZrz+9yd7TQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=O9gDQlURnFRUDILdo/Zh/oMv8es4FlZ/6H8HZyn5Uco9L+o+pXjFbJaa0Pz/6NuRgT 8T54XwS5JknkgOy6H663wTQT62UZlVz72uslSvr4KqgUtV+uxj8Qnh2In/SEK2Iao4iG dwBJAj5lulA04xLXOoxqnWzEsIcAfwNYZRb+I=
Received: by 10.142.174.15 with SMTP id w15mr4792729wfe.178.1284766140802; Fri, 17 Sep 2010 16:29:00 -0700 (PDT)
Received: from [10.210.5.159] (74-94-67-45-tacoma-wa.hfc.comcastbusiness.net [74.94.67.45]) by mx.google.com with ESMTPS id y36sm2401955wfd.6.2010.09.17.16.28.58 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 17 Sep 2010 16:28:59 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="windows-1252"
From: Kris Selden <kris.selden@gmail.com>
In-Reply-To: <AANLkTime0dayBq1k+ee7xNp3pkBE2-Ltn-i=LNh0-XvB@mail.gmail.com>
Date: Fri, 17 Sep 2010 16:28:56 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <E79EC3F0-30CA-41D3-ADB2-FFCBEE87B014@gmail.com>
References: <4C913EE3.90704@lodderstedt.net> <AANLkTikJGDUKCfiPiN_rAVXmbPF0SBN_sKNQFHw6-oqj@mail.gmail.com> <AANLkTime0dayBq1k+ee7xNp3pkBE2-Ltn-i=LNh0-XvB@mail.gmail.com>
To: Andrew Arnott <andrewarnott@gmail.com>
X-Mailer: Apple Mail (2.1081)
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] User-Agent flow and refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2010 23:28:37 -0000

> Secrets on native apps are good!  The key is (no pun intended) that the secret not ship with the app.  Each client should register for its own client_id and secret when it is installed on the client machine. 

Maybe I'm missing something but...

If it has no credentials, why does sending it credentials after it has been installed, prove the client app is trusted?  Isn't an installed app without credentials, an untrusted app?  How do you know when you register the client that it is the app you think it is?

What can the client you want to register do that a client you don't want to register can't after install?

How would say an iPhone client that I download register?  Push notifications?  What if the end user hasn't enabled them? (I know a lot of people who turn them off) Also, if they've been hacked on a jailbroken phone (http://www.pushfix.info) are they really proving that the client is the client you think it is?

"The specification is very clear (as the article quotes) – don’t use client secrets in installed applications! The reason why the specification doesn’t say much more is because there is no solution. It does not exist for a distributed application unless you issue a different secret to each installation."
http://hueniverse.com/2010/09/all-this-twitter-oauth-security-nonsense/

Once the secret is installed isn't it still vulnerable after installation? Or is it because you can revoke the one abused secret (after detecting that it has been abused) without invalidating all the installed clients.

It seems like what would be ideal is if these mobile app marketplaces could install a unique client secret when an app is purchased. Otherwise I would think an untrusted app could just mimic a trusted app during registration.

v2.23.0 | Report a Bug | By Email