Re: [OAUTH-WG] User-Agent flow and refresh tokens
Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 19 September 2010 14:37 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2077C3A6972 for <oauth@core3.amsl.com>; Sun, 19 Sep 2010 07:37:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.547
X-Spam-Level:
X-Spam-Status: No, score=-1.547 tagged_above=-999 required=5 tests=[AWL=-0.381, BAYES_00=-2.599, HELO_EQ_DE=0.35, URIBL_RHS_DOB=1.083]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHtJN10r3yi2 for <oauth@core3.amsl.com>; Sun, 19 Sep 2010 07:37:13 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.18.43]) by core3.amsl.com (Postfix) with ESMTP id 43F673A69C2 for <oauth@ietf.org>; Sun, 19 Sep 2010 07:36:58 -0700 (PDT)
Received: from p4ffd357e.dip.t-dialin.net ([79.253.53.126] helo=[127.0.0.1]) by smtprelay01.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OxL0o-0006cC-78; Sun, 19 Sep 2010 16:37:02 +0200
Message-ID: <4C96200C.6000301@lodderstedt.net>
Date: Sun, 19 Sep 2010 16:37:00 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: Kris Selden <kris.selden@gmail.com>
References: <4C913EE3.90704@lodderstedt.net> <AANLkTikJGDUKCfiPiN_rAVXmbPF0SBN_sKNQFHw6-oqj@mail.gmail.com> <AANLkTime0dayBq1k+ee7xNp3pkBE2-Ltn-i=LNh0-XvB@mail.gmail.com> <E79EC3F0-30CA-41D3-ADB2-FFCBEE87B014@gmail.com>
In-Reply-To: <E79EC3F0-30CA-41D3-ADB2-FFCBEE87B014@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Df-Sender: 141509
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] User-Agent flow and refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Sep 2010 14:37:14 -0000
Am 18.09.2010 01:28, schrieb Kris Selden: >> Secrets on native apps are good! The key is (no pun intended) that the secret not ship with the app. Each client should register for its own client_id and secret when it is installed on the client machine. > Maybe I'm missing something but... > > If it has no credentials, why does sending it credentials after it has been installed, prove the client app is trusted? Isn't an installed app without credentials, an untrusted app? How do you know when you register the client that it is the app you think it is? > > What can the client you want to register do that a client you don't want to register can't after install? > > How would say an iPhone client that I download register? Push notifications? What if the end user hasn't enabled them? (I know a lot of people who turn them off) Also, if they've been hacked on a jailbroken phone (http://www.pushfix.info) are they really proving that the client is the client you think it is? > > "The specification is very clear (as the article quotes) – don’t use client secrets in installed applications! The reason why the specification doesn’t say much more is because there is no solution. It does not exist for a distributed application unless you issue a different secret to each installation." > http://hueniverse.com/2010/09/all-this-twitter-oauth-security-nonsense/ > > Once the secret is installed isn't it still vulnerable after installation? Or is it because you can revoke the one abused secret (after detecting that it has been abused) without invalidating all the installed clients. > > It seems like what would be ideal is if these mobile app marketplaces could install a unique client secret when an app is purchased. Otherwise I would think an untrusted app could just mimic a trusted app during registration. that's a very interesting idea but it requires a strong trust relationship between app marketplace and authorization server. In my opinion, client secrets dynamically issued by the OAuth authorization server might at most be a solution against session fixation attacks (cf. http://www.ietf.org/mail-archive/web/oauth/current/msg04358.html). regards, Torsten. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Marius Scurtescu
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Andrew Arnott
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Marius Scurtescu
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Marius Scurtescu
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Kris Selden
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Marius Scurtescu
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Luke Shepard
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Kris Selden
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt