Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation

Roland Hedberg <roland.hedberg@umu.se> Wed, 13 January 2016 07:52 UTC

Return-Path: <roland.hedberg@umu.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B6E01A90CE for <oauth@ietfa.amsl.com>; Tue, 12 Jan 2016 23:52:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Level:
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DKXzVdoTRd33 for <oauth@ietfa.amsl.com>; Tue, 12 Jan 2016 23:52:30 -0800 (PST)
Received: from smtp5.umu.se (smtp5.umu.se [130.239.8.142]) by ietfa.amsl.com (Postfix) with ESMTP id 3C1971A009F for <oauth@ietf.org>; Tue, 12 Jan 2016 23:52:29 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.22,288,1449529200"; d="asc'?scan'208";a="84011055"
X-IPAS-Result: A2DEBADKAJZW/84N74JeGQEBAQEPAQEBAYJffW0GiFO1EAIFGAqEPYEwAoF1AQEBAQEBgQuENAEBAQECAQEBASBLCwULAgEIEQQBAQEVFQICJwsdCAIEDgUOBgeICwgBDa8nkEABAQEBAQEBAQIBAQEBAQEBAQERBQSGVoIPgnCEPh85gl4ugRsFlxWCdIFlmAFcjXhkhApyhFECBRkHHAGBBwEBAQ
Received: from umu-ex06.ad.umu.se (HELO mail.ad.umu.se) ([130.239.13.206]) by smtp5.umu.se with ESMTP; 13 Jan 2016 08:52:27 +0100
Received: from UMU-EX03.ad.umu.se (2002:82ef:dcb::82ef:dcb) by UMU-EX06.ad.umu.se (2002:82ef:dce::82ef:dce) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Wed, 13 Jan 2016 08:52:27 +0100
Received: from UMU-EX03.ad.umu.se ([fe80::708f:f02f:c850:d133]) by UMU-EX03.ad.umu.se ([fe80::708f:f02f:c850:d133%24]) with mapi id 15.00.1130.005; Wed, 13 Jan 2016 08:52:27 +0100
From: Roland Hedberg <roland.hedberg@umu.se>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation
Thread-Index: AQHRTddYbQlj7Sd67kSeSjTNrc+QQg==
Date: Wed, 13 Jan 2016 07:52:26 +0000
Message-ID: <DBB63270-5EF9-4F1A-84B6-BF2873EA2240@adm.umu.se>
References: <CA+k3eCSpWFwyvk=XHP4b_zxzu-zrMYsS-axF6csO90-ahmkueQ@mail.gmail.com> <BY2PR03MB4423033D5604E9E36B20C23F5CA0@BY2PR03MB442.namprd03.prod.outlook.com> <5CA9073D-BBF7-48BD-BEC5-1F626E8C3818@mit.edu> <8EB68572-DA59-482D-A660-FA6D9848AAD2@oracle.com>
In-Reply-To: <8EB68572-DA59-482D-A660-FA6D9848AAD2@oracle.com>
Accept-Language: en-US, sv-SE
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-pgp-agent: GPGMail 2.5.2
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.239.200.165]
Content-Type: multipart/signed; boundary="Apple-Mail=_A44ECF01-67F5-493C-86B1-474262DFF6D2"; protocol="application/pgp-signature"; micalg="pgp-sha256"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ev0lsj0lysHAx4jaVPGnCDsY8WU>
X-Mailman-Approved-At: Wed, 20 Jan 2016 10:18:56 -0800
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 07:52:34 -0000

And I agree with Phil’s agreement with Brian :-)

I should also add that I during the last part of the meeting and on my flight home afterwards implemented the techniques I felt we had come to an agreement on at the meeting. That is the new authorization request response parameters iss and client_id as well as the use of state_hash at the token endpoint.

> 13 jan 2016 kl. 05:31 skrev Phil Hunt (IDM) <phil.hunt@oracle.com>:
> 
> I am in agreement with Brian.
> 
> I understand what Mike is trying to do is safer, but I too am concerned that the escalation in knowledge/skills for oauth clients is significant.
> 
> This may not be the same concern as for OIDC where we can expect more sophistication.
> 
> Phil
> 
> On Jan 12, 2016, at 20:03, Justin Richer <jricher@mit.edu> wrote:
> 
>> +1 to Brian’s point, and points to Mike for promising to address this. I wasn’t able to attend the meeting in Darmstadt, but I’ve been following the discussion and original papers. Let’s take this one piece at a time and not overreach with a solution.
>> 
>> In particular, the whole “late binding discovery” bit would cause huge problems on its own. There’s good reason that OpenID Connect mandates that the “iss” value returned from the discovery endpoint MUST be the same as the “iss” value coming back from the ID Token, so let’s not ignore that.
>> 
>>  — Justin
>> 
>>> On Jan 12, 2016, at 5:53 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
>>> 
>>> John Bradley and I went over this today and I'm already planning on simplifying the draft along the lines described. I would have written this earlier but I've been busy at a NIST meeting today.
>>> 
>>> John has also stated writing a note about how cut-and-paste does and doesn't apply here but hasn't finished it yet because he's been similarly occupied.  He's also started writing up the state_hash token request parameter, as he agreed to do.
>>> 
>>> Watch this space for the new draft...
>>> 
>>> Best wishes,
>>> -- Mike
>>> From: Brian Campbell
>>> Sent: ‎1/‎12/‎2016 5:24 PM
>>> To: oauth
>>> Subject: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation
>>> 
>>> The "IdP Mix-Up" and "Malicious Endpoint" attacks (as well as variations on them) take advantage of the fact that there's nothing in the OAuth authorization response to the client's redirect_uri that identifies the authorization server. As a result, a variety of techniques can be used to trick the client into sending the code (or token in some cases) to the wrong endpoint.
>>> 
>>> To the best of my recollection the general consensus coming out of the meetings in Darmstadt (which Hannes mentioned in OAuth Security Advisory: Authorization Server Mix-Up) was to put forth an I-D as a simple extension to OAuth, which described how to return an issuer identifier for the authorization server and client identifier as authorization response parameters from the authorization endpoint. Doing so enables the client to know which AS the response came from and thus avoid sending the code to a different AS. Also, it doesn't introduce application/message level cryptography requirements on client implementations.
>>> 
>>> The mitigation draft that was posted yesterday diverges considerably from that with a significantly expanded scope that introduces OpenID Connect ID Tokens (sort of anyway) to regular OAuth and the retrieval of a metadata/discovery document in-between the authorization request and the access token request.
>>> 
>>> It is possible that my recollection from Darmstadt is wrong. But I expect others who were there could corroborate my account of what transpired. Of course, the agreements out of the Darmstadt meeting were never intended to be the final word - the whole WG would have the opportunity to weigh, as is now the case. However, a goal of meeting face-to-face was to come away with a good consensus towards a proposed solution that could (hopefully) be implementable in the very near term and move thought the IETF process in an expedited manner. I believe we'd reached consensus but the content of -00 draft does not reflect it.
>>> 
>>> I've made the plea off-list several times to simplify the draft to reflect the simple solution and now I'm doing the same on-list. Simplify the response validation to just say not to send the code/token back to an AS entity other that the one identified by the 'iss' in the response. And remove the id_token and JWT parts that .
>>> 
>>> If this WG and/or the larger community believes that OAuth needs signed responses, let's develop a proper singed response mechanism. I don't know if it's needed or not but I do know that it's a decent chunk of work that should be conscientiously undertaken independent of what can and should be a simple to understand and implement fix for the idp mix-up problem.
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth