Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft
George Fletcher <gffletch@aol.com> Mon, 25 January 2016 20:12 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AB331A00E6 for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 12:12:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQfr9KM49ndF for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 12:12:00 -0800 (PST)
Received: from omr-a002e.mx.aol.com (omr-a002e.mx.aol.com [204.29.186.56]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 329C41A00E4 for <oauth@ietf.org>; Mon, 25 Jan 2016 12:11:58 -0800 (PST)
Received: from mtaout-maa01.mx.aol.com (mtaout-maa01.mx.aol.com [172.26.222.141]) by omr-a002e.mx.aol.com (Outbound Mail Relay) with ESMTP id 3F7C03800072; Mon, 25 Jan 2016 15:11:57 -0500 (EST)
Received: from [10.172.102.124] (unknown [10.172.102.124]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-maa01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 98D8B3800009C; Mon, 25 Jan 2016 15:11:56 -0500 (EST)
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <BY2PR03MB442662C73E3904E73D9B9EFF5C30@BY2PR03MB442.namprd03.prod.outlook.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56A6818C.2090808@aol.com>
Date: Mon, 25 Jan 2016 15:11:56 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <BY2PR03MB442662C73E3904E73D9B9EFF5C30@BY2PR03MB442.namprd03.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------020400080000070800030902"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1453752717; bh=0IiBCrVhHeKWoelYfN4mIg6OAr2qu62MTzjsIVtgrwg=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=FutnaG5YK7zUYeyO5bQinwVZr+npkJGkKnpxPbbQkrUwYYL/e6SDVLgnbc/jOxy12 O7thYJOOT/voJQFgO5nXLSOAPLalOdsjB/WwAeQEwBnm/nu9p7loYkaJsPB/HS3nYx U51bMAqHkTM8YfGusqVHtpTiiQbEKo5k+MVaPvEM=
x-aol-sid: 3039ac1ade8d56a6818c3c92
X-AOL-IP: 10.172.102.124
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ZkjU9E13Kk7FTrs3_ajsrVyvZgg>
Subject: Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 20:12:02 -0000
Thanks for the write up John and Mike! 1. Editorial: I'd add something like the following to the last paragraph in section 2. "However, if the authorization server does not support OAuth Discovery, then it MUST publicly define it's AS issuer URI." The point being that the client has to have a way to obtain this value so that it can compare it later on in the protocol. 2. Question: If OAuth2 discovery is not required, how does a simple issuer compare prevent the attack? It seems like the malicious AS could get the client to statically configure Good Issuer, Good AuthZ, Bad Token endpoint and assign the client a client_id that is valid at the Good AS. When the Good AS returns the response data it would include it's iss and the client_id which would match and the client would still send the code and client credentials to the Bad AS. I believe that supporting OAuth discovery is going to be required to fully mitigate this attack. 3. Question: In section 7.3 the phrase "unsigned cookie" is used but it's not clear exactly what that means. While the attacker can set cookies in the forged response, they shouldn't be able to set cookies on the specific domain of the AS. If the cookie identifying the AS session is HTTP Only and Secure, then the attacker should not be able to see or forge a value for this cookie. The attacker could bypass the browser completely and just forge a request to the client specifying whatever values they like. These could be taken from a valid session the attacker created and can see from their browser. It seems like the key protection in this case is binding the state value into the code so the code can't be substituted. Thanks, George On 1/21/16 1:28 AM, Mike Jones wrote: > > John Bradley and I collaborated to create the second OAuth 2.0 Mix-Up > Mitigation draft. Changes were: > > ·Simplified by no longer specifying the signed JWT method for > returning the mitigation information. > > ·Simplified by no longer depending upon publication of a discovery > metadata document. > > ·Added the “state” token request parameter. > > ·Added examples. > > ·Added John Bradley as an editor. > > The specification is available at: > > ·http://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01 > > An HTML-formatted version is also available at: > > ·http://self-issued.info/docs/draft-jones-oauth-mix-up-mitigation-01.html > > -- Mike > > P.S. This note was also posted athttp://self-issued.info/?p=1526 and > as @selfissued <https://twitter.com/selfissued>. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Chief Architect Identity Services Engineering Work: george.fletcher@teamaol.com AOL Inc. AIM: gffletch Mobile: +1-703-462-3494 Twitter: http://twitter.com/gffletch Office: +1-703-265-2544 Photos: http://georgefletcher.photography
- [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Dra… Mike Jones
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Justin Richer
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Justin Richer
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Hans Zandbelt
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Justin Richer
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… David Waite
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… David Waite
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… William Denniss
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Thomas Broyer
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… George Fletcher
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… David Waite
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Paul Madsen
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… George Fletcher
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Roland Hedberg
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… George Fletcher
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Torsten Lodderstedt
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Phil Hunt (IDM)