[OAUTH-WG] What's the use case for signing OAuth 2.0 requests?

Yaron Goland <yarong@microsoft.com> Fri, 24 September 2010 21:18 UTC

Return-Path: <yarong@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id D68403A691F for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 14:18:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.399
X-Spam-Status: No, score=-10.399 tagged_above=-999 required=5 tests=[AWL=0.199, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id W4dJHXbPPLOT for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 14:18:22 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com []) by core3.amsl.com (Postfix) with ESMTP id 97C703A6A45 for <oauth@ietf.org>; Fri, 24 Sep 2010 14:18:22 -0700 (PDT)
Received: from TK5EX14CASC131.redmond.corp.microsoft.com ( by TK5-EXGWY-E801.partners.extranet.microsoft.com ( with Microsoft SMTP Server (TLS) id; Fri, 24 Sep 2010 14:18:53 -0700
Received: from TK5EX14MBXC111.redmond.corp.microsoft.com ([]) by TK5EX14CASC131.redmond.corp.microsoft.com ([]) with mapi id 14.01.0218.012; Fri, 24 Sep 2010 14:18:55 -0700
From: Yaron Goland <yarong@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: What's the use case for signing OAuth 2.0 requests?
Thread-Index: ActcLVkcw12z9VXcRZaPemtNsnYbYQ==
Date: Fri, 24 Sep 2010 21:18:54 +0000
Message-ID: <7C01E631FF4B654FA1E783F1C0265F8C635347FF@TK5EX14MBXC111.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_7C01E631FF4B654FA1E783F1C0265F8C635347FFTK5EX14MBXC111r_"
MIME-Version: 1.0
Subject: [OAUTH-WG] What's the use case for signing OAuth 2.0 requests?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 21:18:23 -0000

My understanding of Eran's article (http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-the-web/) is that Eran believes that bearer tokens are not good enough as a security mechanism because they allow for replay attacks in discovery style scenarios. He then, if I understood the article correctly, argues that the solution to the replay attack is to sign OAuth 2.0 requests.
In http://www.goland.org/bearer-tokens-discovery-and-oauth-2-0/ I tried to demonstrate that in fact one can easily prevent replay attacks in discovery scenarios using OAuth 2.0 and bearer tokens. If the article is correct then it is not a requirement to introduce message signing into OAuth 2.0 in order to prevent the attacks that Eran identified.

So this leaves me wondering, what's the critical scenario that can't be met unless we use sign OAuth 2.0 requests?