Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 205D81A9116 for ; Mon, 11 Jan 2016 12:41:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.002 X-Spam-Level: X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gZu7QU7HEh_2 for ; Mon, 11 Jan 2016 12:41:15 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0700.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:700]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FC831A9105 for ; Mon, 11 Jan 2016 12:41:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=PpPGaUfX0FISi+Sv4D2BT0CDFamNujMfOPImgR6uHIc=; b=DO2ZSM4xwJeFg7lRS9aOuxyRPMGleCi23aBbnLG2GBbWBGkOw6FZzZac/+lmLebUlajfhJpprCI4d6tVhCTLw5/lact1eXibL5cKmoUw2rKzVzo3DV5wcLJgUdx/AUect80PBFRXNnYQ+GRMm7Z/ZQmciCvyuvmtCa8gIQseTSY= Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.361.13; Mon, 11 Jan 2016 20:40:53 +0000 Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0361.006; Mon, 11 Jan 2016 20:40:53 +0000 From: Mike Jones To: Hans Zandbelt , George Fletcher , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation Thread-Index: AdFMSEdeh3slUb5fSSeAYII0TkfznQAVH34AAALUM/AAARo6AAAACUsAAACxt4AAABX4UA== Date: Mon, 11 Jan 2016 20:40:53 +0000 Message-ID: References: <5693F276.8020501@aol.com> <56940CD8.8000701@aol.com> <569411BF.5090500@pingidentity.com> In-Reply-To: <569411BF.5090500@pingidentity.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-originating-ip: [12.130.116.69] x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:PWyNBKqjByzdcYzkn+VfT56GkOqkQLZVumKKEMBUCHzZFuq6sCQiLNUyfDXSYMBwlmZYvWMDwIoWzoJXni55CQ6+tsh9jKE42Snl++u2KukuhHSCRdR8Y+GCxP4L360jfZxzspq8eRDAamGG7+/vRQ==; 24:UsgK8bg7AzhtQuw5Q/4+Vn0XAah9wywZPIOzht6n2vNiLzOxzmZhcX4WXK7KT5WcYZXt2Kr8Ucc33Qe3CKLq+qs1kXcvLa1m304DZfkdzzk= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441; x-ms-office365-filtering-correlation-id: 5319a927-6c3c-4748-5d3a-08d31ac77ff2 x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(149059832740258); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; x-forefront-prvs: 0818724663 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(209900001)(24454002)(189002)(13464003)(199003)(377454003)(479174004)(164054003)(5004730100002)(1720100001)(5001960100002)(5003600100002)(81156007)(101416001)(11100500001)(15395725005)(6116002)(189998001)(122556002)(10400500002)(2950100001)(107886002)(50986999)(33656002)(19580395003)(86612001)(5005710100001)(97736004)(10290500002)(1220700001)(586003)(1096002)(2906002)(15975445007)(66066001)(5001770100001)(92566002)(3846002)(8990500004)(5002640100001)(77096005)(74316001)(76576001)(76176999)(54356999)(2900100001)(40100003)(93886004)(1600100001)(86362001)(2501003)(99286002)(105586002)(87936001)(106356001)(10090500001)(5008740100001)(19580405001)(102836003)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2016 20:40:53.3182 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441 Archived-At: Subject: Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jan 2016 20:41:18 -0000 The specification describes this validation method (comparison of the issue= r received to the issuer recorded at registration time) in step 2 of Sectio= n 4 (Validating the Response). In fact, I added this in response to your f= eedback on an earlier draft, Hans. -----Original Message----- From: Hans Zandbelt [mailto:hzandbelt@pingidentity.com]=20 Sent: Monday, January 11, 2016 12:34 PM To: Mike Jones ; George Fletcher ; oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation I disagree that validating endpoints "at this step" (which refers to right = before making the token request) should be the default way of handling this= . The vast majority of OAuth client deployments connecting to more than one= AS will have a static configuration of the ASes issuer/endpoint informatio= n anyhow and they just need to confirm that the issuer value received in th= e authorization response is the same issuer as that the request was sent to= . Hans. On 1/11/16 1:14 PM, Mike Jones wrote: > Correct > > *From:*George Fletcher [mailto:gffletch@aol.com] > *Sent:* Monday, January 11, 2016 12:13 PM > *To:* Mike Jones ; oauth@ietf.org > *Subject:* Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation > > So just to make sure I understand... > > This specification requires the response from the Authorization Server > to an successful /authorize call to pass back code=3D, state=3D and jwt= =3D (?) > or individually iss=3D and aud=3D as URL parameters on the 302 to the > redirect_url. This way, before the client issues a call to the /token > endpoint (with the code), it can verify that the token endpoint is correc= t. > > If the client doesn't validate the endpoints at this step, then it could > disclose it's secret to a malicious endpoint. Correct? > > Thanks, > George > > On 1/11/16 2:59 PM, Mike Jones wrote: > > The alternatives for the code flow are to return them either in a > new JWT added to the reply containing them in the "iss" and "aud" > claims or to return them in new individual "client_id" and "iss" > authorization response parameters. Both alternatives are described > in the draft. I'm sure that we'll now be having a good engineering > discussion on the tradeoffs between the alternatives., > > In a separate draft, John Bradley will shortly also be describing > the possibility of securing the "state" value using a "state_hash" > value that works in a way that's similar to how "at_hash" and > "c_hash" secure the "access_token" and "code" values in Connect. > This would be an alternative means of binding the authorization > request and response to the session - accomplishing the same thing > that the Connect "nonce" does. > > While I fully get that some OAuth implementations want to avoid > having to have crypto, it seems like at least support for > cryptographic hashing (SHA-256, etc.) may be necessary to mitigate > some of these attacks (at least for clients that use more than one > authorization server). > > The other important engineering discussion I know we're going to > have is whether, when an OAuth profile already returns the > information needed for the mitigation, whether we want to specify > that the client obtain it from the existing location, or whether to > also return it in a duplicate location. I'll note that OpenID > Connect already returns the client ID and issuer for the flows that > return an ID Token in the authorization response, so this isn't a > hypothetical question. > > Finally, I know that we'll need to discuss the impact of > cut-and-paste attacks when the issuer and client ID are returned as > individual authorization response parameters that are not > cryptographically bound to the rest of the response. The > cut-and-paste attack that returning the issuer and client_id values > as separate parameters enables, even when state_hash or nonce is > used, is for the attacker to capture the legitimate response > containing "iss" and "client_id" results and substitute different > values for these fields, then post that altered response to the > legitimate client. The state and/or nonce values are protected > against substitution but "iss" and "client_id" are not. > > And yes, I absolutely agree that good examples are essential. > That's high on my list for the -01 version. > > Thanks a > bunch, > > -- Mike > > *From:*George Fletcher [mailto:gffletch@aol.com] > *Sent:* Monday, January 11, 2016 10:21 AM > *To:* Mike Jones > ; oauth@ietf.org > > *Subject:* Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation > > Thanks Mike. One question after reading about the different attack > vectors and this spec... > > How are the 'iss' and 'aud' values returned with the 'code' and > 'state' parameters. It seems the client needs to verify the > endpoints before making the request to exchange the code for a > token. If the client is using the default OAuth2 client_id and > client_secret these values will be sent to the malicious endpoint if > the client can't verify the endpoints before hand. > > Also, it would be nice to add some non-normative examples to the spec= . > > Thanks, > George > > On 1/11/16 4:27 AM, Mike Jones wrote: > > Yesterday Hannes Tschofenig announced an OAuth Security Advisory > on Authorization Server Mix-Up > . > This note announces the publication of the strawman OAuth 2.0 > Mix-Up Mitigation draft he mentioned that mitigates the attacks > covered in the advisory. The abstract of the specification is: > > This specification defines an extension to The OAuth 2.0 > Authorization Framework that enables an authorization server to > provide a client using it with a consistent set of metadata > about itself. This information is returned in the authorization > response. It can be used by the client to prevent classes of > attacks in which the client might otherwise be tricked into > using inconsistent sets of metadata from multiple authorization > servers, including potentially using a token endpoint that does > not belong to the same authorization server as the authorization > endpoint used. Recent research publications refer to these as > "IdP Mix-Up" and "Malicious Endpoint" attacks. > > The gist of the mitigation is having the authorization server > return the client ID and its issuer identifier (a value defined > in the OAuth Discovery specification > ) so that the client can verif= y > that it is using a consistent set of authorization server > configuration information, that the client ID is for that > authorization server, and in particular, that the client is not > being confused into sending information intended for one > authorization server to a different one. Note that these > attacks can only be made against clients that are configured to > use more than one authorization server. > > Please give the draft a quick read and provide feedback to the > OAuth working group. This draft is very much a starting point > intended to describe both the mitigations and the decisions and > analysis remaining before we can be confident in standardizing a > solution. Please definitely read the Security Considerations > and Open Issues sections, as they contain important information > about the choices made and the decisions remaining. > > Special thanks go to Daniel Fett (University of Trier), > Christian Mainka (Ruhr-University Bochum), Vladislav Mladenov > (Ruhr-University Bochum), and Guido Schmitz (University of > Trier) for notifying us of the attacks and working with us both > on understanding the attacks and on developing mitigations. > Thanks too to Hannes Tschofenig for organizing a meeting on this > topic last month and to Torsten Lodderstedt and Deutsche Telekom > for hosting the meeting. > > The specification is available at: > > *http://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-0= 0 > > An HTML-formatted version is also available at: > > *http://self-issued.info/docs/draft-jones-oauth-mix-up-mitigation= -00.html > > -- Mik= e > > P.S. This note was also posted at > http://self-issued.info/?p=3D1524 and as @selfissued > . > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > > Chief Architect > > Identity Services Engineering Work:george.fletcher@teamaol.com > > AOL Inc. AIM: gffletch > > Mobile: +1-703-462-3494 Twitter:http://twitter.com/gffletch > > Office: +1-703-265-2544 Photos:http://georgefletcher.photog= raphy > > > > -- > > Chief Architect > > Identity Services Engineering Work:george.fletcher@teamaol.com > > AOL Inc. AIM: gffletch > > Mobile: +1-703-462-3494 Twitter:http://twitter.com/gffletch > > Office: +1-703-265-2544 Photos:http://georgefletcher.photograph= y > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --=20 Hans Zandbelt | Sr. Technical Architect hzandbelt@pingidentity.com | Ping Identity