Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Daniel Roesler <> Fri, 08 November 2019 12:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 76E8A1200C5 for <>; Fri, 8 Nov 2019 04:50:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wAqsoaIsc2Ol for <>; Fri, 8 Nov 2019 04:50:17 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 83B5F120086 for <>; Fri, 8 Nov 2019 04:50:17 -0800 (PST)
Received: by with SMTP id g12so2110498qvy.12 for <>; Fri, 08 Nov 2019 04:50:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=nrmA2b5oip4kC0RuyZmSkw+7F/ozylD/sLqM2Gf0aVA=; b=sV2ROlOkO9ZZjf8aPm8b12I7YW7dHQhYICwLhdG30nwu56hBbOsYgNOvCYYQAJenwq W1Y6nq+S8aoO+dl0cXYTnEwvk+skRIdwX3Rpq4NRoLgqt1JeHEwbMBxaFuDTsAF9MSbB JQYnDA1ELfSGtJZ9yKgj5UUwpM1StCwRccO6Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=nrmA2b5oip4kC0RuyZmSkw+7F/ozylD/sLqM2Gf0aVA=; b=sAKLYRgp/dqwB9Ei7XlP/wQcsomArHpuCbJ0zJ2U2nnS4NhguodO1tWpcHM4ZwpCIb 8d6gZNK+DLsh3ZdXgWDi05lgyVAfft7jYtO1k/8KvYUTu9mPwcbfXZT/vYBWS9vt9kE9 /OYR7EieaRvgAUDQ4V/GogGXW5k7LM9/3K1PDfQ9kMD6OVxpkqEwHe3zAjuBf+fuoBSO 4fCOCfs/WMFbmsM9B61brTGefaNrW441bxVSY0XKIhDeTnJaLUzOynrjABwwUwb6lp7R 3/5If6c/UtuxiW8oOZ1nJpxSWsnbqTolFNjP++Z7lDcF4ahIrof847Uoy+MupDDNixG0 3AWQ==
X-Gm-Message-State: APjAAAXnkG+380tQvjDumUXukL8HDF83Gb08Y3uV1jdfC1siRuwcG269 RvhTLVH8XBDsmwX1jbCGqYi1n6vpsfy1jWIjrDMG+3n+VmQ=
X-Google-Smtp-Source: APXvYqxTWwMj7OvA3FARC0g90V4YFtRwW5kKA8QT6Xmmhb9rhLyRLT1fnz3DfnfB2ldQiyZd5sJpmVsPHR48vECe6ls=
X-Received: by 2002:a0c:b88f:: with SMTP id y15mr9287880qvf.161.1573217416166; Fri, 08 Nov 2019 04:50:16 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Daniel Roesler <>
Date: Fri, 8 Nov 2019 06:49:40 -0600
Message-ID: <>
To: Hannes Tschofenig <>
Cc: "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Nov 2019 12:50:20 -0000


In the "3.1 Protecting Redirect-Based Flows" > "3.1.1. Authorization
Code Grant" section, is there guidance on when it is appropriate (if
ever) to automatically generate a new authorization code and redirect
back to the client?

A recent exploit[1] on Github's OAuth implementation was practical
because if you make an authorization request and the resource owner is
already authenticated and the scope is already authorized, Github will
silently generate a new authorization code and redirect the user back
to the redirect_uri without asking them to click "Authorize" again.

How the exploit worked:

1. The client makes an ajax HEAD request to the OAuth authorization
endpoint, which will silently create the authorization grant (this was
the security exploit that was patched).

2. However, since the ajax response was blocked via CORS, the client
couldn't receive the authorization code in the response parameters.

3. So, the client then redirected the user to Github's authorization
endpoint with the same authorization code request (only this time as a
real GET redirect).

4. Github instantly redirected the user back to the client's
redirect_uri with a new authorization code and without asking for any
user interaction.

It seems strange to me that OAuth should allow for transparent
authorization code redirects without resource owner confirmation. This
situation only comes up when something weird is happening, such as
when a client loses their valid access|refresh_token, but isn't that
all the more reason to clarify that you should always ask for resource
owner confirmation of the scope, even in scenarios where you are just
re-authorizing the same scope as before?

Had Github asked for confirmation on step 4 above, the practicality of
the HEAD exploit would have been reduced because the user would have
been presented with an unexpected Allow/Deny Github OAuth dialogue,
possibly alerting them to the fact that something strange was going

Anyway, I'm trying to find guidance on transparent redirects for
authorization code grants. There's a whole host of both security and
application logic issues that could come up from such behavior, so I'd
like to ask for clarification in best practices.


Daniel Roesler
Co-founder & CTO, UtilityAPI

On Wed, Nov 6, 2019 at 2:27 AM Hannes Tschofenig
<> wrote:
> Hi all,
> this is a working group last call for "OAuth 2.0 Security Best Current Practice".
> Here is the document:
> Please send you comments to the OAuth mailing list by Nov. 27, 2019.
> (We use a three week WGLC because of the IETF meeting.)
> Ciao
> Hannes & Rifaat
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> _______________________________________________
> OAuth mailing list