[OAUTH-WG] Fwd: Associating access_token with user-agent on client?
André DeMarre <andredemarre@gmail.com> Wed, 29 February 2012 00:13 UTC
Return-Path: <andredemarre@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 569D921F85EC for <oauth@ietfa.amsl.com>; Tue, 28 Feb 2012 16:13:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.002
X-Spam-Level:
X-Spam-Status: No, score=-3.002 tagged_above=-999 required=5 tests=[AWL=0.297, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8zkw7eQgDtlD for <oauth@ietfa.amsl.com>; Tue, 28 Feb 2012 16:13:37 -0800 (PST)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id BC57121F8545 for <oauth@ietf.org>; Tue, 28 Feb 2012 16:13:37 -0800 (PST)
Received: by pbcwz17 with SMTP id wz17so2708327pbc.31 for <oauth@ietf.org>; Tue, 28 Feb 2012 16:13:37 -0800 (PST)
Received-SPF: pass (google.com: domain of andredemarre@gmail.com designates 10.68.130.164 as permitted sender) client-ip=10.68.130.164;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of andredemarre@gmail.com designates 10.68.130.164 as permitted sender) smtp.mail=andredemarre@gmail.com; dkim=pass header.i=andredemarre@gmail.com
Received: from mr.google.com ([10.68.130.164]) by 10.68.130.164 with SMTP id of4mr16097003pbb.56.1330474417629 (num_hops = 1); Tue, 28 Feb 2012 16:13:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=zLRhXvOMZBAY0tNxbjIF8c9X8lSIDbb24WmqzZXOO+M=; b=shun4CvQWzIq7MkQx/yvgxurMVY+TeJGfwvFiHtQNBOLg77W3EKOjb+mp+KqXbzvuL kKxbk88H2KL/q2yqx8syOJ9H29uIUGFvoiOcTGqZ1Jdeg9PbrspzVXeR2G+N47yN3+2Z A7XJ6nrknHLH0tsyjHAtSTyr2xL1K5nTaGfok=
MIME-Version: 1.0
Received: by 10.68.130.164 with SMTP id of4mr13370798pbb.56.1330474417439; Tue, 28 Feb 2012 16:13:37 -0800 (PST)
Received: by 10.68.25.193 with HTTP; Tue, 28 Feb 2012 16:13:37 -0800 (PST)
In-Reply-To: <CAEwGkqBrMckJZx27iGwqCCiMHh+QUYQcj113CDVXHZnJ305vPw@mail.gmail.com>
References: <566590632924AD48B839AF6CD200554A02B24D2EBB@EX-SEA31-A.ant.amazon.com> <CAEwGkqBrMckJZx27iGwqCCiMHh+QUYQcj113CDVXHZnJ305vPw@mail.gmail.com>
Date: Tue, 28 Feb 2012 16:13:37 -0800
Message-ID: <CAEwGkqCu1K7t0809jfRd7MwM+V_60Fa4=H3Z=wvK7fJPKfkUag@mail.gmail.com>
From: André DeMarre <andredemarre@gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Subject: [OAUTH-WG] Fwd: Associating access_token with user-agent on client?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Feb 2012 00:13:42 -0000
Neglected to copy the WG. ---------- Forwarded message ---------- From: André DeMarre <andredemarre@gmail.com> Date: Tue, Feb 28, 2012 at 3:52 PM Subject: Re: [OAUTH-WG] Associating access_token with user-agent on client? To: "Martin, Bobby" <bobbym@amazon.com> I assume you're talking about the authorization code flow, and that your client is a server-side web application. How to persist state to maintain a session between a user agent and a web app client is beyond the scope of OAuth. The spec alludes to it in its explanation of the "state" parameter and CSRF, but that's not what you're asking. The client will usually use cookies to maintain a user session, and it's up to the client to decide how sessions are secured. This is no different when the client uses an OAuth server for user authentication; the client still needs to manage a session so it can identify the user as he interacts with the app. There is a difference between matching a user to a real identity (authentication), and recognizing the same user between stateless HTTP requests (sessions). You do bring up a very good point though, that being that if a user's client session is hijacked, then the attacker can use the client to access the user's protected resources. Session security at the client is beyond the scope of OAuth, and the spec only touches on it in its consideration of client redirection endpoint security. For example, see section 3.1.2.1 (http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1.2.1) OAuth is not about securing web applications, but at the very least, perhaps the threat model document could explain that clients need to defend against session hijacking, not only at the redirection endpoint but throughout the application. In the case of cookie-based sessions, the session ID cookie should only be transmitted over TLS. If it's in the threat model already, I must have overlooked it. Regards, Andre DeMarre On Tue, Feb 28, 2012 at 1:54 PM, Martin, Bobby <bobbym@amazon.com> wrote: > The OAuth 2.0 spec specifically says not to return the access_token to the > user-agent (which I understand), but it does not indicate how to associate > the access_token with a particular client session. > > > > This seems like an important omission, since any way that spoofs how the > client recognizes a user-agent request as belonging to a resource owner is > as good as spoofing the access_token. > > > > I searched the list archives and in general googled around, but I don’t see > any discussion of this. In our use case, we want to recognize the customer > based on their authentication with the auth server, so ideally we do not > require a login in the client’s domain. > > > > Can someone point me to discussions around this? > > > > Thanks, > > Bobby > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Associating access_token with user-age… Martin, Bobby
- [OAUTH-WG] Fwd: Associating access_token with use… André DeMarre
- Re: [OAUTH-WG] Fwd: Associating access_token with… Martin, Bobby