IETF Logo Mail Archive

Re: [OAUTH-WG] User-Agent flow and refresh tokens

Kris Selden <kris.selden@gmail.com> Mon, 20 September 2010 19:29 UTC

Return-Path: <kris.selden@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C4D73A63EC for <oauth@core3.amsl.com>; Mon, 20 Sep 2010 12:29:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.058
X-Spam-Level:
X-Spam-Status: No, score=-2.058 tagged_above=-999 required=5 tests=[AWL=0.542, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GHXE4fL5P9IC for <oauth@core3.amsl.com>; Mon, 20 Sep 2010 12:29:16 -0700 (PDT)
Received: from mail-px0-f172.google.com (mail-px0-f172.google.com [209.85.212.172]) by core3.amsl.com (Postfix) with ESMTP id D2B243A68AF for <oauth@ietf.org>; Mon, 20 Sep 2010 12:29:16 -0700 (PDT)
Received: by pxi6 with SMTP id 6so1909737pxi.31 for <oauth@ietf.org>; Mon, 20 Sep 2010 12:29:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=QvoKLW8MmdsOwki8YQEFyySuXvWQu6JKJ3sPmRo4TaM=; b=WDhUTPe0DAEPvAOf/mpDt01uuE+iqV2p6hWzdcmq/PDgdDGEnmme7G9eFugSkF/8R+ vQN12/0yOSUx4YkL22eFbBXR87Qc+JPBovNf6mqqKTponTOLb8imTKFdq66nAZTIhVXg wI/4ZXwHuQLMO5SlX3RlVUkNnpk+GufKJ16c8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=oRbw16Dza1IHZRMRy7U1ygK+vqtaapLl3E3NjsjenroQ6CsNZuvrfuFuYXd9wy7wVI UPlV2k80fe4ULDxU1JhNoT1Blap7M4l1K1XHO+tZBu9ZkHG2rSvMytLJJPnEdazO9F+I viaqYZFZmNbPffLRhOxkX7RX6S1bBUY9KN3fI=
Received: by 10.114.133.15 with SMTP id g15mr10652874wad.72.1285010980638; Mon, 20 Sep 2010 12:29:40 -0700 (PDT)
Received: from [10.210.5.162] (74-94-67-45-tacoma-wa.hfc.comcastbusiness.net [74.94.67.45]) by mx.google.com with ESMTPS id s5sm14031745wak.0.2010.09.20.12.29.38 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 20 Sep 2010 12:29:39 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="windows-1252"
From: Kris Selden <kris.selden@gmail.com>
In-Reply-To: <4C96200C.6000301@lodderstedt.net>
Date: Mon, 20 Sep 2010 12:29:35 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <76AF4D58-6849-4F35-AB49-A71540668FFF@gmail.com>
References: <4C913EE3.90704@lodderstedt.net> <AANLkTikJGDUKCfiPiN_rAVXmbPF0SBN_sKNQFHw6-oqj@mail.gmail.com> <AANLkTime0dayBq1k+ee7xNp3pkBE2-Ltn-i=LNh0-XvB@mail.gmail.com> <E79EC3F0-30CA-41D3-ADB2-FFCBEE87B014@gmail.com> <4C96200C.6000301@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.1081)
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] User-Agent flow and refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Sep 2010 19:29:18 -0000

What is dynamic client registration?

I think it will be common to naively to use the password grant in a client app (like on a phone) when the company making the app is the same as the company who controls the auth server.

The question is whether there is really anyway to know if that client app is indeed your own app and not something mimicking it.  How does a dynamic client registration prevent an untrusted client from performing the same registration steps as your trusted client if your trusted client can't protect any secrets in the first place?  In other words what would authenticate a client during the registration?

Seems to me, if you allow password grant type even on your own client (which I suspect is going to be commonly desired), you are allowing any client to pretend to be yours and use this grant type.

It is then up to the end user to trust the client.  In the other flows, your server at least has a chance to give the user feedback on what the server thinks the client they are registering is.

If you are implying dynamic registering of the client (unspecified) as involving the end user to provide trust, isn't that already part of other flows?

I still get the sense that client secrets probably don't belong on iPhone apps and I shouldn't be using the password grant type unless I'm ok with any client using it.

Though I would love to be able to use that flow on our own iPhone app (because there is some pressure for this and a lack of understanding why we can't trust it is our own app which I suspect will be common as well).


On Sep 19, 2010, at 7:37 AM, Torsten Lodderstedt wrote:

> Am 18.09.2010 01:28, schrieb Kris Selden:
>>> Secrets on native apps are good!  The key is (no pun intended) that the secret not ship with the app.  Each client should register for its own client_id and secret when it is installed on the client machine.
>> Maybe I'm missing something but...
>> 
>> If it has no credentials, why does sending it credentials after it has been installed, prove the client app is trusted?  Isn't an installed app without credentials, an untrusted app?  How do you know when you register the client that it is the app you think it is?
>> 
>> What can the client you want to register do that a client you don't want to register can't after install?
>> 
>> How would say an iPhone client that I download register?  Push notifications?  What if the end user hasn't enabled them? (I know a lot of people who turn them off) Also, if they've been hacked on a jailbroken phone (http://www.pushfix.info) are they really proving that the client is the client you think it is?
>> 
>> "The specification is very clear (as the article quotes) – don’t use client secrets in installed applications! The reason why the specification doesn’t say much more is because there is no solution. It does not exist for a distributed application unless you issue a different secret to each installation."
>> http://hueniverse.com/2010/09/all-this-twitter-oauth-security-nonsense/
>> 
>> Once the secret is installed isn't it still vulnerable after installation? Or is it because you can revoke the one abused secret (after detecting that it has been abused) without invalidating all the installed clients.
>> 
>> It seems like what would be ideal is if these mobile app marketplaces could install a unique client secret when an app is purchased. Otherwise I would think an untrusted app could just mimic a trusted app during registration.
> 
> that's a very interesting idea but it requires a strong trust relationship between app marketplace and authorization server.
> 
> In my opinion, client secrets dynamically issued by the OAuth authorization server might at most be a solution against session fixation attacks (cf. http://www.ietf.org/mail-archive/web/oauth/current/msg04358.html).
> 
> regards,
> Torsten.
> 
> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email