IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (3880)

John Bradley <ve7jtb@ve7jtb.com> Tue, 04 February 2014 20:23 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32A4A1A01F8 for <oauth@ietfa.amsl.com>; Tue, 4 Feb 2014 12:23:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d6COMCdLFq1g for <oauth@ietfa.amsl.com>; Tue, 4 Feb 2014 12:23:11 -0800 (PST)
Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by ietfa.amsl.com (Postfix) with ESMTP id 18B7F1A016D for <oauth@ietf.org>; Tue, 4 Feb 2014 12:23:10 -0800 (PST)
Received: by mail-qc0-f182.google.com with SMTP id c9so14459712qcz.41 for <oauth@ietf.org>; Tue, 04 Feb 2014 12:23:10 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=xpZDx7NlRScLCtsZd7YwfroRZC/JOZyhEsuh4mP9WDY=; b=a/PqdrMwbIcy38udd3/H5INQ/7ZA5HWMqZAseNcgbzC2Yp3YbJp+deQnjSHDYXktic jUxMYrHN72yxgy62BdjHsNK3xYDN+MinvIytj3r3GuKgYwt/cSLdCICU+A3bbLxJzC79 bLnMuxeii5bVSUIBWVY3ZAJmgVTO5Om9p8dp6XHqul04XG4FITJNhMN8Yp9yIVJ3zQxB HihTMzfV6LpYJphiSlthjrhCmpQM/SXg5TwQx4MpmC0GtQiYKjaUfAmXcFV/mp2X+oFz b/MUV0WXebh+rRzmyQVuMqpfVmNZxE+ajWT3xGpv7RzlfmBEZQHIAkrGEYhdkUCnhsSe hB5A==
X-Gm-Message-State: ALoCoQn/92+fjJmmhPM+cIphDFTXKEdGJbz59XyjBM7t/ThO+4t9HT8v19ZaKCXGMUOqxpTP8hgh
X-Received: by 10.224.88.70 with SMTP id z6mr70016212qal.14.1391545390185; Tue, 04 Feb 2014 12:23:10 -0800 (PST)
Received: from [192.168.0.200] ([201.188.196.139]) by mx.google.com with ESMTPSA id u4sm69937105qai.21.2014.02.04.12.23.00 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 04 Feb 2014 12:23:09 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_041658BC-4950-4168-96AF-EBE03433BCF2"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <52F1368D.9040106@oracle.com>
Date: Tue, 04 Feb 2014 17:22:48 -0300
Message-Id: <76932D08-5599-4A45-A2F3-50476D865A17@ve7jtb.com>
References: <20140204161338.9A4007FC168@rfc-editor.org> <9B180E22-D31A-48A7-A233-8F3DA05ABF71@ve7jtb.com> <52F1368D.9040106@oracle.com>
To: Prateek Mishra <prateek.mishra@oracle.com>
X-Mailer: Apple Mail (2.1827)
Cc: eriksencosta@gmail.com, oauth <oauth@ietf.org>, Derek Atkins <derek@ihtfp.com>, Sean Turner <turners@ieca.com>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (3880)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 20:23:15 -0000

It is true that a AS cannot tell what instance of a native client it is issuing a token to via the redirect URI.

10.16 is only talking about an attack on the client based on a lack of audience information. 

If there is a security consideration around AS differentiating between instances of public clients that should be documented separately.
It might be possible using dynamic registration to give each instance of a client a separate client_id but I don't think that is manageable if the AS needs to maintain state for each client_id.

Depending on the threat we are trying to mitigate using the forthcoming Proof of Possession spec to bind tokens to specific client instances may be a solution.

I think the issues need to be kept separate.

John B.


On Feb 4, 2014, at 3:50 PM, Prateek Mishra <prateek.mishra@oracle.com> wrote:

> Well, the proposed correction does point to a genuine security hazard
> 
> Specifically, when client instances share the same re-direct URI, typically mobile clients
> 
> this is independent of whether implicit or code flows are used
> 
> It is only injective clients - each of whose instances bind to unique redirect URLs - that can support discriminative Az servers
> 
> So I would re-phrase the proposed text as:
> 
> [quote]
> For public, non-injective clients, this specification does not
> provide any method for the authorization server to determine what
> client an access token was issued to.
> [\quote]
> 
> - prateek
> 
> 
>> The text in 10.16 is correct.
>> 
>> This is a security consideration that has caused serious problems for Facebook and other implementers.
>> 
>> In the Implicit flow there is no way for a client to know if a access token was issued to it or another client.
>> 
>> The UA presenting the access token in an implicit flow may be the resource owner but may also be any other client that has ever received an access token for the resource.
>> 
>> In the implicit flow the Authorization server knows what client it has issued a access token to via the registered redirect URI.
>> 
>> The change doesn't reflect the intent of the security consideration.
>> 
>> John B.
>> 
>> 
>> On Feb 4, 2014, at 1:13 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
>> 
>>> The following errata report has been submitted for RFC6749,
>>> "The OAuth 2.0 Authorization Framework".
>>> 
>>> --------------------------------------
>>> You may review the report below and at:
>>> http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=3880
>>> 
>>> --------------------------------------
>>> Type: Technical
>>> Reported by: Eriksen Costa <eriksencosta@gmail.com>
>>> 
>>> Section: 10.16
>>> 
>>> Original Text
>>> -------------
>>> For public clients using implicit flows, this specification does not
>>> provide any method for the client to determine what client an access
>>> token was issued to.
>>> 
>>> Corrected Text
>>> --------------
>>> For public clients using implicit flows, this specification does not
>>> provide any method for the authorization server to determine what
>>> client an access token was issued to.
>>> 
>>> Notes
>>> -----
>>> A client can only know about tokens issued to it and not for other clients.
>>> 
>>> Instructions:
>>> -------------
>>> This errata is currently posted as "Reported". If necessary, please
>>> use "Reply All" to discuss whether it should be verified or
>>> rejected. When a decision is reached, the verifying party (IESG)
>>> can log in to change the status and edit the report, if necessary. 
>>> 
>>> --------------------------------------
>>> RFC6749 (draft-ietf-oauth-v2-31)
>>> --------------------------------------
>>> Title               : The OAuth 2.0 Authorization Framework
>>> Publication Date    : October 2012
>>> Author(s)           : D. Hardt, Ed.
>>> Category            : PROPOSED STANDARD
>>> Source              : Web Authorization Protocol
>>> Area                : Security
>>> Stream              : IETF
>>> Verifying Party     : IESG
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email