Re: [OAUTH-WG] OAuth services/libraries wanted for security evaluation...

Pieter Philippaerts <pieter.philippaerts@kuleuven.be> Mon, 22 June 2020 15:01 UTC

Return-Path: <pieter.philippaerts@kuleuven.be>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97BAF3A0DE1 for <oauth@ietfa.amsl.com>; Mon, 22 Jun 2020 08:01:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y_rc2aUsqIX3 for <oauth@ietfa.amsl.com>; Mon, 22 Jun 2020 08:01:30 -0700 (PDT)
Received: from rhcavuit03.kulnet.kuleuven.be (rhcavuit03.kulnet.kuleuven.be [IPv6:2a02:2c40:0:c0::25:136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35C523A0DA2 for <oauth@ietf.org>; Mon, 22 Jun 2020 08:01:29 -0700 (PDT)
X-KULeuven-Envelope-From: pieter.philippaerts@kuleuven.be
X-KULeuven-Scanned: Found to be clean
X-KULeuven-ID: 61B6812032F.A4287
X-KULeuven-Information: Katholieke Universiteit Leuven
Received: from icts-p-smtps-1.cc.kuleuven.be (icts-p-smtps-1e.kulnet.kuleuven.be [134.58.240.33]) by rhcavuit03.kulnet.kuleuven.be (Postfix) with ESMTP id 61B6812032F for <oauth@ietf.org>; Mon, 22 Jun 2020 17:01:25 +0200 (CEST)
Received: from ICTS-S-EXMBX18.luna.kuleuven.be (icts-s-exmbx18.luna.kuleuven.be [10.112.11.49]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by icts-p-smtps-1.cc.kuleuven.be (Postfix) with ESMTPS id 3E3A340B5; Mon, 22 Jun 2020 17:01:25 +0200 (CEST)
Received: from ICTS-S-EXMBX19.luna.kuleuven.be (10.112.11.50) by ICTS-S-EXMBX18.luna.kuleuven.be (10.112.11.49) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 22 Jun 2020 17:01:24 +0200
Received: from ICTS-S-EXMBX19.luna.kuleuven.be ([fe80::b0b6:d4f7:5b6e:2396]) by ICTS-S-EXMBX19.luna.kuleuven.be ([fe80::b0b6:d4f7:5b6e:2396%21]) with mapi id 15.00.1497.006; Mon, 22 Jun 2020 17:01:24 +0200
X-Kuleuven: This mail passed the K.U.Leuven mailcluster
From: Pieter Philippaerts <pieter.philippaerts@kuleuven.be>
To: Aaron Parecki <aaron@parecki.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] OAuth services/libraries wanted for security evaluation...
Thread-Index: AQHWSJv/CEiq3qLLQkSm2HSHXzeoX6jkiRsAgAAsdDM=
Date: Mon, 22 Jun 2020 15:01:24 +0000
Message-ID: <1592838083725.90090@kuleuven.be>
References: <1592833863766.52147@kuleuven.be>, <CAGBSGjqS9Ai3Ex_0dRBQQe7F6Y3roqD+ex=S9sST0e5diZNoNA@mail.gmail.com>
In-Reply-To: <CAGBSGjqS9Ai3Ex_0dRBQQe7F6Y3roqD+ex=S9sST0e5diZNoNA@mail.gmail.com>
Accept-Language: en-US, nl-BE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.112.50.1]
Content-Type: multipart/alternative; boundary="_000_159283808372590090kuleuvenbe_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/iDbR1fNhw2EqeK4g9DgWk5705o8>
Subject: Re: [OAUTH-WG] OAuth services/libraries wanted for security evaluation...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2020 15:01:37 -0000

Hello Aaron,


> * Whether an AS token endpoint rejects a request that contains a PKCE code_verifier

> if the authorization code was issued with no code_challenge present

This is indeed one of the test cases. Out of the small set of 15 sites I have currently tested (major providers - think Google, Microsoft, Facebook, ...), the results are the following:
 - 7 sites do not implement PKCE (they ignore the parameters altogether)

 - 3 sites have PKCE support but do not detect the downgrade

 - 3 sites have PKCE support and detect the downgrade

 - 2 sites do not use the authorization code grant


> * Whether an OIDC client uses PKCE

> * Whether an OIDC client that does not use PKCE properly checks the nonce value (for all response types)

I should have been more specific in my first email: the test suite tests server implementations, not client implementations. The framework is basically a (malicious) client. I've thought about testing clients, but it seems much harder. A number of the client security guidelines are difficult to test (e.g. "the client secret should be stored securely"), and the testing procedure will likely not support a high degree of automation. But it is something I'm interested in investigating further in a follow-up project.

?

Regards,

Pieter



________________________________
From: Aaron Parecki <aaron@parecki.com>
Sent: Monday, June 22, 2020 16:03
To: Pieter Philippaerts
Subject: Re: [OAUTH-WG] OAuth services/libraries wanted for security evaluation...

Hi Pieter,

This sounds like a great project!

Can you make sure to test these things, I would be very curious to see the result and it will help inform some of the future work in the Security BCP and OAuth 2.1.

* Whether an AS token endpoint rejects a request that contains a PKCE code_verifier if the authorization code was issued with no code_challenge present
* Whether an OIDC client uses PKCE
* Whether an OIDC client that does not use PKCE properly checks the nonce value (for all response types)

Thank you!

---
Aaron Parecki
https://aaronparecki.com


On Mon, Jun 22, 2020 at 6:51 AM Pieter Philippaerts <pieter.philippaerts@kuleuven.be<mailto:pieter.philippaerts@kuleuven.be>> wrote:
Hello everyone,

As part of a research project, I've created a test suite to test OAuth 2.0 implementations and measure how well they implement the various MAY/SHOULD/MUST security recommendations in the OAuth standards. (It also includes test cases for the OIDC and FAPI RO/RW recommendations.) The tool is practically finished and will be made available to the public in a few months.

I'm currently working on a security analysis of the OAuth2 ecosystem (i.e. I'm using the tool to test various OAuth/OIDC implementations) and I'm still looking for more candidates to test. If you are the author of an OAuth library or if you are running an OAuth service, feel free to contact me to get involved. Apart from my gratitude, I can offer you a free security audit of your product :-)

Regards,
Pieter



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth