Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft

Justin Richer <> Thu, 21 January 2016 18:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2FE3D1A8A7B for <>; Thu, 21 Jan 2016 10:58:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sZMafgSNCSoh for <>; Thu, 21 Jan 2016 10:58:54 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 445FA1A8A87 for <>; Thu, 21 Jan 2016 10:58:54 -0800 (PST)
X-AuditID: 1209190d-f79306d000006b70-5e-56a12a6c357c
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 58.16.27504.C6A21A65; Thu, 21 Jan 2016 13:58:52 -0500 (EST)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id u0LIwplJ018321; Thu, 21 Jan 2016 13:58:52 -0500
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id u0LIwnLu020232 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 21 Jan 2016 13:58:51 -0500
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: multipart/signed; boundary="Apple-Mail=_CDB249BA-C31A-45A9-A9B6-0BCE988BE97C"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.5.2
From: Justin Richer <>
In-Reply-To: <>
Date: Thu, 21 Jan 2016 13:58:49 -0500
Message-Id: <>
References: <> <>
To: John Bradley <>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrMKsWRmVeSWpSXmKPExsUixCmqrJujtTDMYMd3XYu90z6xWJx8+4rN YvXdv2wOzB5Llvxk8mjd8Zfd4/btjSwBzFFcNimpOZllqUX6dglcGe27WxkLfi1irFi//RxL A+PSPsYuRk4OCQETiWM/NkDZYhIX7q1n62Lk4hASWMwk8ezrWmYIZyOjxPNPl6Cc20wSDzbe BWsRFnCQmHrhPhuIzSugJ/Hq1mVWkCJmgSmMEuc6moASHEBzpSRm7BcAqWETUJWYvqaFCcTm FLCTmNPWxApiswDFr0w7A2YzC0RJdO/+yQ4x00piQddcdojFPYwSvy9uBVsmIqAisW/fI6i7 ZSV2/37ENIFRcBaSO2Yhu2MW2OAkiWerzjFB2NoSyxa+ZoawNSX2dy9nwRTXkOj8NpEVwpaX 2P52DlTcUmLxzBtQ9bYSt/oWQM20k3g0bRHrAkbuVYyyKblVurmJmTnFqcm6xcmJeXmpRbpG ermZJXqpKaWbGMHxKcm7g/HdQaVDjAIcjEo8vDeuzQ8TYk0sK67MPcQoycGkJMqrJL4wTIgv KT+lMiOxOCO+qDQntfgQowrQrkcbVl9glGLJy89LVRLhTVECquNNSaysSi3KhymT5mBREufd 1TE3TEggPbEkNTs1tSC1CCYrw8GhJMEboAnUKFiUmp5akZaZU4KQZuLgPMQowcEDNLwIpIa3 uCAxtzgzHSJ/ilFRSpw3DiQhAJLIKM2D6wWl1YS3h01fMYoDvSXMOxmkigeYkuG6XwENZgIa vNdsPsjgkkSElFQDo+CLGMF8Qbcsvzt2Hg5q3xxcyyc8Z21pbFqUartmgqiCvqSmdZXrH/dl S7UkekLkLWs35+tH8O/kc1tzq7maibf58sSvNtFLJgkl3I57x3FvYlnW45LnvxcxBYb8fzbh zMmV/1dejpuWaJrvw/aj73rXAm8ug1cmWi37Yh7t3DWzTCugtkpLiaU4I9FQi7moOBEAhuyM pYYDAAA=
Archived-At: <>
Cc: "<>" <>
Subject: Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Jan 2016 18:58:59 -0000

Thank you for removing state hashing and please don’t add it back. It’s security theater, and that’s giving it the benefit of the doubt. Remember, this is being sent in a  request where other parameters (code, client_id, client_secret, redirect_uri) are all sent plain over TLS as well. Either come up with a general mechanism to hash everything or don’t hash anything. The latter is more likely to win, and it’s the only thing that makes sense currently.

Also, keep in mind that if the client hashes the state on the second request, then the server can’t store the state parameter using its own hash methods (for data-at-rest protection) and still be able to do the comparison. Having the client send it over plain is really better all around in terms of simplicity and adoptability.

Now if we really wanted to have message-level protection of HTTP requests, I can think of a good way to do that…

 — Justin

> On Jan 21, 2016, at 9:41 AM, John Bradley <> wrote:
> We merged the state verification in with this rather than forcing people to also look at the JWT encoded State draft. <>.
> While JWT encoded state is how I would do state in a client and at-least one client I know of uses it, it is not the only way to manage state, and I am hesitant that developers might be scared away by thinking they need to encode state as a JWT.
> I decided that cross referencing them is better.   This made sending much simpler to describe.
> I also removed the hashing from state.   That cut the text by about 2/3 by not having to describe character set normalization so that both the client and the AS could calculate the same hash.
> That also achieved the goal of not requiring a simple OAuth client doing the code flow to add a crypto library to support SHA256.
> Once we make a algorithm mandatory, we need to defend why we don’t have crypto agility eg support for SHA3 etc.  We would be forced by the IESG to add another parameter to the request to specify the hash alg if we went that direction.
> Given that we assume state to be public info in the request that an attacker can see, hashing state provides not much value for a lot of complexity that people may get wrong or not implement.
> I appreciate why from a theory point of view hashing it would have been better.
> If people really want it I can add it back.
> John B.
>> On Jan 21, 2016, at 3:28 AM, Mike Jones < <>> wrote:
>> John Bradley and I collaborated to create the second OAuth 2.0 Mix-Up Mitigation draft.  Changes were:
>> ·       Simplified by no longer specifying the signed JWT method for returning the mitigation information.
>> ·       Simplified by no longer depending upon publication of a discovery metadata document.
>> ·       Added the “state” token request parameter.
>> ·       Added examples.
>> ·       Added John Bradley as an editor.
>> The specification is available at:
>> · <>
>> An HTML-formatted version is also available at:
>> · <>
>>                                                           -- Mike
>> P.S.  This note was also posted at <> and as @selfissued <>.
>> _______________________________________________
>> OAuth mailing list
>> <>
>> <>
> _______________________________________________
> OAuth mailing list