Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt
Travis Spencer <travis.spencer@curity.io> Tue, 20 March 2018 11:48 UTC
Return-Path: <travis.spencer@curity.io>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38A7012702E for <oauth@ietfa.amsl.com>; Tue, 20 Mar 2018 04:48:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81clkxj49gBU for <oauth@ietfa.amsl.com>; Tue, 20 Mar 2018 04:48:50 -0700 (PDT)
Received: from mail-ot0-x236.google.com (mail-ot0-x236.google.com [IPv6:2607:f8b0:4003:c0f::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FC47126DED for <oauth@ietf.org>; Tue, 20 Mar 2018 04:48:45 -0700 (PDT)
Received: by mail-ot0-x236.google.com with SMTP id v23-v6so1341120oth.9 for <oauth@ietf.org>; Tue, 20 Mar 2018 04:48:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=DQxB1yNeHcrdL3RdpCaEydYQlWNaqElO8o9vPJ3KBHo=; b=1sMtvARuyuIXN++rIBkdzjb/04mi4SuBH7xK1ChdlSZ4vAXoeFxxvILrWWR/WuAd5Q pzeiVQtUFAyfh6m//xivOkjHNG10NMK2pDNDA+oeASg0k9b0floXh+YC5TI61+6TpCSB Fta7Zm3AoIFU0A87kH13iw0slhvNI8wIECFAv8GyutuO/f8cmijw049pWvT8xOXBlmJC KcbIQ6Z5xmlrQxI/oZrX2xSgR7QF6VHL6NIHeOb2d8J/Bd+Ie+hi9wPMd9zbvf+1OhVU BKxWehvyyWjE3ES3d0z/o+gtC3A5CXN7VPdkJMi0UaOks6Ib7TvW76W7zDdOKY3V+Nzz GRHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=DQxB1yNeHcrdL3RdpCaEydYQlWNaqElO8o9vPJ3KBHo=; b=SIPvKe2Iyu2cSe9sxX0C7VX6tad0zTQaeIDedM8MHatyvuhtXKkSRSz3HvZx4MdXpj tcz058ANQriRbapQpwkNHqoaUt2MX69cRZk0byVX3DfTGn27HcGmas+F0odPV78E4h2j yyV5qk4CdimRugNQ9lpzAQK1hdrnBpL2N0GYarPv4fejVohgqF3k6YqS4WpFGIVE4yc/ o2y+egpG4gxF0z7CRCWFeD1WOA2Yc7JpNL4n6V7frtqKSV6luWqLD1g7LpWf7vL+egKz nT4bDKs4mJPAXJ2YKJBGQT0M6dSYSs8BQCiqf4srkynkcleeNVruFdR0k2VbGoQgdA6G 2p8w==
X-Gm-Message-State: AElRT7EEmUgsxXAqSm1DuUarjLqS4MepVlPywi25FYrNpKPmy0pGzHty //mgK1olHSIYG1LZwG2+w55wc5oEqLn3y3QBaZ/bvlOl
X-Google-Smtp-Source: AG47ELtjNyCUO+URAwMH2jFkiz0S3jEBM3AO7RHEhGVvnKxEM7GjQnJEI8GasqYVQx8D16DLM6VaET14oNlOn7CY3z8=
X-Received: by 2002:a9d:4992:: with SMTP id g18-v6mr9695405otf.238.1521546524589; Tue, 20 Mar 2018 04:48:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.70.193 with HTTP; Tue, 20 Mar 2018 04:48:24 -0700 (PDT)
In-Reply-To: <E126FCD2-55E0-4ADB-9A3F-6EEF3955EC2C@authlete.com>
References: <E126FCD2-55E0-4ADB-9A3F-6EEF3955EC2C@authlete.com>
From: Travis Spencer <travis.spencer@curity.io>
Date: Tue, 20 Mar 2018 12:48:24 +0100
Message-ID: <CAEKOcs1Ky7XETQ4xk2XaBZnkjyF-M_OpJvSWK5pouYgq90c5Nw@mail.gmail.com>
To: Joseph Heenan <joseph@authlete.com>
Cc: torsten@lodderstedt.net, oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eCXGYlhIfHf_IridB5fcxJ1fjmE>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 11:48:52 -0000
I read through this doc and would like to share a bit of feedback in
hopes that it helps:
* There is no mention of Content Security Policy (CSP). This is a very
helpful security mechanism that all OAuth servers and web-based
clients should implement. I think this needs to be addressed in this
doc.
- No mention of frame breaking scripts for non-CSP aware user agents
- No mention of X-Frame-Options
* There's no mention of HSTS which all OAuth servers and web-based
client should implement (or the reverse proxies in front of them
should)
* The examples only use 302 and don't mention that 303 is safer[1]
- Despite what it says in section 1.7 of RFC 6749, many people
think that a 302 is mandated by OAuth. It would be good to recommend a
303 and use examples with other status codes.
* 3.3.1 refers to client.com in the example. This is a real domain.
Suggest client.example.com instead. Same issue in 3.1.2 where
client.evil.com is used
* 3.1.3 (proposed countermeasures) - native clients that use a web
server with a dynamic port should use dynamic client registration and
dynamic client management rather than allowing wildcards on the port
matching of the OAuth server.
* 3.8.1 says "Therefore this draft recommends that every invalid
authorization request MUST NOT automatically redirect the user agent
to the client's redirect URI" -- This is gonna break a lot of stuff
including other specs! I don't think that's warranted, and I am not
looking forward to the fallout this could cause.
Anyway, my $0.02. Hope it helps.
[1] https://arxiv.org/pdf/1601.01229v2.pdf
On Mon, Mar 19, 2018 at 11:16 PM, Joseph Heenan <joseph@authlete.com> wrote:
> Hi Torsten,
>
> As we briefly spoke about earlier, "3.8.1. Authorization Server as Open
> Redirector" could I think be made more explicit.
>
> Currently it explicitly mentions the invalid_request and invalid_scope
> errors must not redirect back to the client's registered redirect uri.
>
> https://tools.ietf.org/html/rfc6749#section-4.1.2.1 defines several more
> potential errors that appear to fall into the same category. I understand to
> block the attack fully we need 'must not redirect's for all the kinds of
> error that could cause an automatic redirect back to the client's registered
> redirect uri without any user interaction - 'unauthorized_client' and
> 'unsupported_response_type' seem to fall into that category. 'server_error'
> also seems dodgy (I would wager that on some servers that are known ways to
> provoke server errors), and I would have doubts about
> 'temporarily_unavailable' too.
>
> Thanks
>
> Joseph
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- [OAUTH-WG] I-D Action: draft-ietf-oauth-security-… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Joseph Heenan
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Jim Manico
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Justin Richer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Daniel Fett