Re: [OAUTH-WG] Mix-up mitigation is not so easy...

Warren Parad <> Wed, 28 October 2020 11:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6F4943A0A82 for <>; Wed, 28 Oct 2020 04:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.089
X-Spam-Status: No, score=-1.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SHORTENED_URL_HREF=0.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YO5tYc41XF-c for <>; Wed, 28 Oct 2020 04:00:17 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 669813A0A80 for <>; Wed, 28 Oct 2020 04:00:17 -0700 (PDT)
Received: by with SMTP id k6so4291225ilq.2 for <>; Wed, 28 Oct 2020 04:00:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tfLPGuiLq9V5kASwnRvmIgu+ajlHvGtU/n3boWmGfHI=; b=IfadGvvhcUQDLNxLk/mj09QTTHTOA5fUCKnGaTpko7NrKGECCo5lxXg8JSt3YxpdFG s25Fe+Ywh6e0Q2Br0m1x8TTBwWeILXOfvW1IvWT8M7NLlLvXNgdY3bbwYLfg1h3FVZm9 w7uS/o985oBzt9Im8FfNyct9CgAxO8RWn1WRw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tfLPGuiLq9V5kASwnRvmIgu+ajlHvGtU/n3boWmGfHI=; b=IATah29GN1DPYhxQq6g9x3liLjSauU5g0LvYQBlk37BN5I/MVMoKZFKXEOkoCerjTh xTpZ/Ixct5XPuBshMKXZGOO3XpbU3IeAmBWuAo3xFvjNn+s9qGZmDRMkC3zLdaRIBO1b 2JIgj9Kgw+rca4LnhnKnnzNPwwIODml2HqDypgLgvGiB7ZUAIhglBdwotWFU61chDccS XxiATt2Maj6WnjdVfpbKJNj4+qIZCerBDkMx0cphTG9zO8rJTm+Fjk0y5Q5/guwmfH+B obrB9GxJehmHeuUEdqIK0wC1+T3ffyUiUXJAlZ5hMVl+9bksy+j0Er2qUylyKXG9hMMG gQ0A==
X-Gm-Message-State: AOAM530ILNzRL8DEsG3xWT6nPr+AYMuBurFsqyy3iS8Jy35GQLznSVEp ZqC4RqezHp+8kQ+6S2mQkBH7LiH/LYG84D7koxYv
X-Google-Smtp-Source: ABdhPJwkNGQUKjjBvVh2Xgt2EGe00vlv0JoOj7nV68aE9kWbBjZxzwjiP3Vu0yCKhSKG/a5oYgILmGcymkA/i45iQEw=
X-Received: by 2002:a92:c529:: with SMTP id m9mr5093133ili.195.1603882816470; Wed, 28 Oct 2020 04:00:16 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Warren Parad <>
Date: Wed, 28 Oct 2020 12:00:05 +0100
Message-ID: <>
To: Daniel Fett <>
Cc: oauth <>
Content-Type: multipart/alternative; boundary="000000000000899a7105b2b911e7"
Archived-At: <>
Subject: Re: [OAUTH-WG] Mix-up mitigation is not so easy...
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Oct 2020 11:00:19 -0000

I would likewise assume that issuer validation is always required. But
maybe I hadn't been thinking about this enough. Is there an alternative to
validating it, and implicitly trusting it? Because as you pointed out
either demonstrated control over valid redirect URIs or really any other
secondary mechanism would be required. Perhaps I'm missing something though.

Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture.
Implement Authress <>.

On Wed, Oct 28, 2020 at 11:08 AM Daniel Fett <> wrote:

> Hi all,
> during my work to update the Security BCP, I stumbled upon a problem in
> our current recommendations against mix-up attacks.
> Until now, our understanding was that adding an "iss" parameter in the
> authorization response and using a distinct redirect URI for each
> configured issuer provided the same level of security. This is
> unfortunately not the case when mix-up is combined with a client
> impersonation attack.
> Let's start with the "iss" parameter: The assumption is, that an AS
> "knows" which issuer it belongs to. Therefore, an uncompromised AS will
> always send the identifier for this (correct) issuer in the "iss" parameter
> in the authorization response. The client will see that it started the
> process with the attacker's issuer, but receives the identifier for another
> issuer in the authorization response, and will abort the interaction.
> With the distinct redirect URIs, the situation is similar. Let's look at
> how the client would defend against mix-up:
>    - For the attacker's AS configuration (attacker Authorization
>    Endpoint, attacker Token Endpoint), the client would register
> as the redirection URI at the
>    attacker's AS.
>    - For the honest AS configuration (honest Authorization Endpoint,
>    honest Token Endpoint), the client would register
> as the redirection URI at the honest
>    AS.
> In the normal mix-up attack, the following would happen:
>    - The user selects "attacker" as AS.
>    - The user is being redirected to the attacker's authorization
>    endpoint.
>    - The attacker redirects the user to the honest AS's authorization
>    endpoint, replacing the client ID in the original authorization request
>    with the client ID of the client at the honest AS.
>    - The user authorizes the client at honest AS.
>    - Honest AS redirects the user back to the client, using
> as the redirect URI.
>    - The client notices a mismatch between the redirection URI and the
>    expected redirect URI (which would be .../attacker).
> Therefore, the mix-up attack is mitigated. The problem is, however, that
> the attacker can circumvent the protection by *registering a new client
> with the honest AS, giving
> <> as the redirection URI* and using
> this new client ID in step 3 of the attack.
> This would mean that the client would see the attacker's redirect URI as
> the incoming URI for the authorization response and would not detect the
> attack. It would forward the authorization code to the token endpoint of
> the attacker, who would be able to redeem it.
> Note that the user would not grant access to the honest client, but to the
> attacker's client. The attacker's client would need to "impersonate" the
> honest client, i.e., using the same name, icon, etc.; This approach is
> similar to existing OAuth phishing attacks with counterfeit clients,
> however, in this case, a *redirect URI of the honest client* is used.
> Therefore, the usual mitigation whereby the AS shows the redirect URI to
> the user would not provide any protection (see also
> What can we do against this attack?
>    - PKCE does not protect against this attack, as the attacker would be
>    able to change the code_challenge parameter.
>    - I think that PAR and JAR probably won't help either, since the
>    honest client "legitimately" speaks to the attacker's AS, who in turn
>    speaks "legitimately" to the honest AS (as the attacker's client). All
>    sides would use the correct endpoints and keys, and the attacker would be
>    able to receive and modify the authorization request, forwarding it to the
>    honest AS under his own client ID.
>    - For the same reason, a DPoP-like sender-constraining of the
>    authorization code is unlikely to help.
>    - What would help is if client registrations would depend on an
>    ACME-like demonstration of control over the origin of the redirect URI.
>    This not something mandated for OAuth today and is unlikely to be seen in
>    broad use.
>    - The "iss" parameter solution is robust against this attack as long
>    as an authorization server never returns an issuer controlled by the
>    attacker. In essence, by declaring the issuer, the AS is providing a
>    pointer to a metadata file which points to the "correct" token endpoint -
>    this is why this solution is robust. We have shown the robustness of the
>    "iss" solution in our formal analysis, but never analyzed the redirect uri
>    solution formally.
> For the security BCP, this means that we depend on the "iss" parameter
> solution even more. (It also means that OAuth 2.1 should probably include
> this parameter.)
> We need to think about how we can proceed with the security BCP without
> too much delay.
> Sorry for poking another hole into the spec,
> Daniel
> --
> _______________________________________________
> OAuth mailing list