Re: [OAUTH-WG] Why give the redirect URI when trading an access code for an access token?
Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 12 September 2010 10:21 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C592A3A677D for <oauth@core3.amsl.com>; Sun, 12 Sep 2010 03:21:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.111
X-Spam-Level:
X-Spam-Status: No, score=-2.111 tagged_above=-999 required=5 tests=[AWL=0.138, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U2GzNdq2v7SU for <oauth@core3.amsl.com>; Sun, 12 Sep 2010 03:21:52 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.29.23]) by core3.amsl.com (Postfix) with ESMTP id 4D0463A659B for <oauth@ietf.org>; Sun, 12 Sep 2010 03:21:52 -0700 (PDT)
Received: from p4ffd11ed.dip.t-dialin.net ([79.253.17.237] helo=[127.0.0.1]) by smtprelay01.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OujhR-0001iV-0n; Sun, 12 Sep 2010 12:22:17 +0200
Message-ID: <4C8CA9D4.7040409@lodderstedt.net>
Date: Sun, 12 Sep 2010 12:22:12 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <59DD1BA8FD3C0F4C90771C18F2B5B53A6532547F10@GVW0432EXB.americas.hpqcorp.net> <90C41DD21FB7C64BB94121FBBC2E72343B3F3F0703@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4C8B3721.7000208@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E72343B3F3F0A42@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3F3F0A42@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Df-Sender: 141509
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Why give the redirect URI when trading an access code for an access token?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Sep 2010 10:21:53 -0000
thank you for the clarification. What about mobile/desktop applications utilizing the web flow? I wouldn't assume such clients to use per-application client secrets because protecting these secrets is impossible (as stated in §2 of draft -10). I wonder whether instance-specific secrets (obtained via dynamic client registration) could help here. regards, Torsten. Am 11.09.2010 16:59, schrieb Eran Hammer-Lahav: > Sorry. > > 7. Evil user takes the code and gives it back to the client by constructing the original correct redirection URI. > 8. Client exchanges the code for access token, attaching it to the evil user's account. > 9. Evil user can now access victim user data on his client account. > > This is basically a session fixation attack. > > EHL > >> -----Original Message----- >> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net] >> Sent: Saturday, September 11, 2010 1:01 AM >> To: Eran Hammer-Lahav >> Cc: Freeman, Tim; oauth@ietf.org >> Subject: Re: [OAUTH-WG] Why give the redirect URI when trading an access >> code for an access token? >> >> Doesn't step 7 require the evil user to know the client's secret? >> >> Am 10.09.2010 17:06, schrieb Eran Hammer-Lahav: >>> 1. Evil user starts the OAuth flow on the client using the web-server flow. >>> 2. Client redirects the evil user to the authorization server, including state >> information about the evil user account on the client. >>> 3. Evil user takes the authorization endpoint URI and changes the >> redirection to its own site. >>> 4. Evil user tricks victim user to click on the link and authorize access >> (phishing or other social engineering attack). >>> 5. Victim user thinking this is a valid authorization request, authorizes >> access. >>> 6. Authorization server sends victim user back to the client, but since the >> redirection URI was changed, back to the evil user site. >>> 7. Evil user grabs the code and exchanges it for an access token. >>> >>> By checking that the callback URI used to deliver the code is the same as >> the one used to initiate the flow, the authorization server can verify that the >> user who initiated the flow is the same one to authorize access and finish the >> flow. >>> EHL >>> >>>> -----Original Message----- >>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On >>>> Behalf Of Freeman, Tim >>>> Sent: Wednesday, September 08, 2010 8:05 PM >>>> To: oauth@ietf.org >>>> Subject: [OAUTH-WG] Why give the redirect URI when trading an access >>>> code for an access token? >>>> >>>> Hi. I'm new here. I searched the archives a bit and didn't >>>> immediately find an answer to my question below. My apologies if >>>> there was some previous discussion of this that I missed. >>>> >>>> Looking at the draft spec at >>>> http://tools.ietf.org/html/draft-ietf-oauth-v2-10, >>>> I see in section 4.1.1 "Authorization code" on page 22 that it is >>>> required to give the redirect_uri of the original request when >>>> exchanging an authorization code for an access token, and the >>>> authorization server must verify that the redirection URI is correct as well >> as the authorization code. >>>> Based on section 4.2 "Access Token Response" on page 25, it seems >>>> that the redirect_uri is not used when constructing the response from >>>> the authorization server. >>>> >>>> So far as I can tell, the redirect_uri is useless in this request. >>>> It does not contain any secrets. The authorization code is verified >>>> and is meant to be an arbitrary unguessable identifier, so little is >>>> gained by verifying the redirect_uri also. It is not used to construct the >> reply. Why is it required? >>>> Tim Freeman >>>> Email: tim.freeman@hp.com >>>> Desk in Palo Alto: (650) 857-2581 >>>> Home: (408) 774-1298 >>>> Cell: (408) 348-7536 >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Why give the redirect URI when trading… Freeman, Tim
- Re: [OAUTH-WG] Why give the redirect URI when tra… Eran Hammer-Lahav
- Re: [OAUTH-WG] Why give the redirect URI when tra… Torsten Lodderstedt
- Re: [OAUTH-WG] Why give the redirect URI when tra… Eran Hammer-Lahav
- Re: [OAUTH-WG] Why give the redirect URI when tra… Torsten Lodderstedt
- Re: [OAUTH-WG] Why give the redirect URI when tra… Freeman, Tim
- Re: [OAUTH-WG] Why give the redirect URI when tra… Eran Hammer-Lahav
- Re: [OAUTH-WG] Why give the redirect URI when tra… Torsten Lodderstedt
- [OAUTH-WG] Protocol breaks if states are guessabl… Freeman, Tim