Re: [OAUTH-WG] Report an authentication issue
Justin Richer <jricher@mitre.org> Fri, 29 June 2012 17:24 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0011821F860E for <oauth@ietfa.amsl.com>; Fri, 29 Jun 2012 10:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.524
X-Spam-Level:
X-Spam-Status: No, score=-6.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhkCP5-x80Tc for <oauth@ietfa.amsl.com>; Fri, 29 Jun 2012 10:24:30 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 40F4221F864B for <oauth@ietf.org>; Fri, 29 Jun 2012 10:24:30 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 60BFA21B13BC; Fri, 29 Jun 2012 13:24:29 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 4F3A121B08F0; Fri, 29 Jun 2012 13:24:29 -0400 (EDT)
Received: from [129.83.50.26] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.283.3; Fri, 29 Jun 2012 13:24:28 -0400
Message-ID: <4FEDE4AF.9030107@mitre.org>
Date: Fri, 29 Jun 2012 13:23:59 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: Antonio Sanso <asanso@adobe.com>
References: <CAEEmcpEcNqNHwfVozD-NtfkruiB-v0MTszwNL4cob2rL=QQTSA@mail.gmail.com> <4FE223E4.6060307@mitre.org> <4FE226BC.6010403@alcatel-lucent.com> <59E470B10C4630419ED717AC79FCF9A910889AB5@BL2PRD0410MB363.namprd04.prod.outlook.com> <CABzCy2CLe_DVcxiD1EasuhtG1_6+6tCtV5TckZ80fvqyjan_bA@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A917052BC8@SN2PRD0410MB370.namprd04.prod.outlook.com> <4FE37D38.1030407@gmail.com> <CABzCy2A_zJ3vaauoo6VwsmLWsTesdTujuQ4dHdVpc5Nh==iEFg@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A91A2C8949@CH1PRD0410MB369.namprd04.prod.outlook.com> <CABzCy2DzmNgmMALNfc1qp95fwD2WULb-49Dk yLiZnjXngAmaPg@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A91A2D1309@CH1PRD0410MB369.namprd04.prod.outlook.com> <496AFB1D-A609-4188-B92D-2185E8880388@ve7jtb.com> <59E470B10C4630419ED717AC79FCF9A91A2D13C9@CH1PRD0410MB369.namprd04.prod.outlook.com> <67F8B633-E4C8-42F6-B84C-FDBC337B7EEA@ve7jtb.com> <04C05FAA-63BC-4441-8540-36280E40DB98@adobe.com>
In-Reply-To: <04C05FAA-63BC-4441-8540-36280E40DB98@adobe.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.51]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Report an authentication issue
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jun 2012 17:24:31 -0000
It's all about how you can swipe a token and inject it into another application. It's easier to trap and inject a token in the implicit flow because it's exposed to the user agent and there's no client secret tied to the token's issuance. To get the same trick to work with the code flow on server-based confidential clients, you'd need to inject your rogue token into the client's configuration or state. With the implicit flow and on devices, it's a bit easier just because the parts of the system that need access to the token are more accessible. -- Justin On 06/29/2012 12:53 PM, Antonio Sanso wrote: > Hi John > > On Jun 29, 2012, at 1:43 AM, John Bradley wrote: > >> Authenticating to the client is NOT safe with all of the flows > you are perfectly right here. At the begin of this discussion and reading your blog post I was under the impression that this "attack" was tight to the use of the implicit grant flaw. > But this is not actually the case as I could reproduce the same scenario against a client using the Authorization Code flaw. > > Regards > > Antonio > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Report an authentication issue rui wang
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Francisco Corella
- Re: [OAUTH-WG] Report an authentication issue rui wang
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Francisco Corella
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue nov matake
- Re: [OAUTH-WG] Report an authentication issue Kristofor Selden
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Paul Madsen
- Re: [OAUTH-WG] Report an authentication issue Hannes Tschofenig
- Re: [OAUTH-WG] Report an authentication issue Chuck Mortimore
- Re: [OAUTH-WG] Report an authentication issue prateek mishra
- Re: [OAUTH-WG] Report an authentication issue Torsten Lodderstedt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Torsten Lodderstedt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Antonio Sanso
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Dick Hardt
- Re: [OAUTH-WG] Report an authentication issue Mike Jones
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Dick Hardt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Antonio Sanso
- [OAUTH-WG] Inadvertent cross-authentication throu… Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley