IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth2 security considerations for client_id

Justin Richer <jricher@mitre.org> Fri, 06 January 2012 17:45 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E518921F876D for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 09:45:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FOJdluQAji-J for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 09:45:05 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id E1D7321F8769 for <oauth@ietf.org>; Fri, 6 Jan 2012 09:45:04 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id BABE221B0EB1 for <oauth@ietf.org>; Fri, 6 Jan 2012 12:45:03 -0500 (EST)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 8DA7221B0E45 for <oauth@ietf.org>; Fri, 6 Jan 2012 12:45:03 -0500 (EST)
Received: from [129.83.50.12] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.1.339.1; Fri, 6 Jan 2012 12:45:03 -0500
Message-ID: <4F0732F5.7030703@mitre.org>
Date: Fri, 06 Jan 2012 12:44:21 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20111229 Thunderbird/9.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <CACHRFsBNqUgXPxgFth-zHL=tvkVHy=OCXK2tcQ6hC273eoJ9EQ@mail.gmail.com> <0f4aff4b-9fcc-4077-9fca-a068ebf97dd4@email.android.com> <1325871268.64118.YahooMailNeo@web31809.mail.mud.yahoo.com>
In-Reply-To: <1325871268.64118.YahooMailNeo@web31809.mail.mud.yahoo.com>
Content-Type: multipart/alternative; boundary="------------040708030005010206010601"
X-Originating-IP: [129.83.31.51]
Subject: Re: [OAUTH-WG] OAuth2 security considerations for client_id
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2012 17:45:06 -0000

The important thing to realize here is that just having the client_id 
doesn't get you access tokens, and it certainly doesn't give you access 
to all access tokens issued to that client_id in the past. It does allow 
for a phishing scenario in that it will let you try to impersonate a 
known-good client by copying the client_id, but each individual user 
will still have to authorize the fake client in order for it to get a 
new access token.

But keep in mind that this doesn't expose the user's actual credentials 
to the application (on mobile especially, assuming use of external 
browsers trusted by the platform -- as has been discussed on the list 
here, a bad application could always embed a browser and try to steal 
your credentials directly, but they can do that anyway without OAuth). 
The mitigation and cleanup of fake clients like this is also simpler, 
since you can revoke tokens without much cost to users and service 
providers.

These reasons are why it's suggested to use the authorization code flow 
with mobile apps, just without a client_secret. You can lessen the 
attack vector by using a trusted and preregistered callback_uri, and 
there's even been some discussion about how to do that with cloud 
services handling the callbacks for trusted applications on the platform.

  -- Justin

On 01/06/2012 12:34 PM, William Mills wrote:
> Yeah, certainly for Mobile clients this is true.  There are classes of 
> clients (server to server implementations notably) where clientID can 
> be a proper secret and be usefule for client validation.
>
> ------------------------------------------------------------------------
> *From:* Torsten Lodderstedt <torsten@lodderstedt.net>
> *To:* Karim <medkarim.esskalli@gmail.com>; oauth@ietf.org
> *Sent:* Friday, January 6, 2012 5:21 AM
> *Subject:* Re: [OAUTH-WG] OAuth2 security considerations for client_id
>
> Hi,
>
> your observation is correct. OAuth security considerations recommend 
> not to rely on secrets for authenticating mobile apps (aka native 
> apps) but to manage them as so-called public clients. Please take a 
> look onto section 10 of the core spec for further details.
>
> regards,
> Torsten.
>
>
>
> Karim <medkarim.esskalli@gmail.com> schrieb:
>
>     Hello,
>
>     When using User-agent flow with OAuth2 for mobile platform, there
>     is no way for Authorization server to authenticate the client_id
>     of the application.
>
>     So, anyone can impersonate my app by copying the client_id (and so
>     get all access tokens on my behalf), and this is applicable to
>     Facebook, Foursquare,...
>
>     This is not managed by OAuth2 ? Or I missed something ?
>
>     For Web applications (Web server flow), access token is stored on
>     the server side, and the client is authenticated using secret key.
>
>     -- 
>     Karim
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.14.0 | Report a Bug | By Email