IETF Logo Mail Archive

Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"

Phil Hunt <phil.hunt@oracle.com> Fri, 18 March 2016 23:19 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C7D712D55D for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 16:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D-rpjF94Buns for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 16:19:20 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2A3F12D51B for <oauth@ietf.org>; Fri, 18 Mar 2016 16:19:19 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u2INJI67030721 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 18 Mar 2016 23:19:19 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u2INJIKK021754 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 18 Mar 2016 23:19:18 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id u2INJAnl021824; Fri, 18 Mar 2016 23:19:16 GMT
Received: from [10.0.1.20] (/24.86.216.17) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 18 Mar 2016 16:19:05 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_6988764A-8FC5-40A3-ACEF-923EC22333CE"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <DA183442-992A-4166-843D-32EFA58D9C11@ve7jtb.com>
Date: Fri, 18 Mar 2016 16:19:03 -0700
Message-Id: <6C87CFDA-FD24-4C85-8876-D60BE5EFB5F8@oracle.com>
References: <56EAEB54.8010208@aol.com> <CA+k3eCQ-C+MuAV__JnPMJqeKWMn=Qe2yGB06qzpet=xx1xGZ0g@mail.gmail.com> <B05D6061-BB5A-4593-B77A-9FF84AFE16F6@oracle.com> <CA+k3eCR+NDPqrnjGEZbKiuN-FZX730ubnUruk3=YyG6amN=6Vg@mail.gmail.com> <20024B1B-7EC0-4354-A173-94F9F58AE1A3@oracle.com> <DA183442-992A-4166-843D-32EFA58D9C11@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.3112)
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/jJ8Ld2e2L8S7Uc2arZoHGBgnuN8>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 23:19:23 -0000

John,

I haven’t changed my mind. But I now think we’ve come away with a different understanding of the threats.

I recall that we agreed that “iss” and “client_id” are for mitigating mix-up, by allowing a client to figure out what token endpoint a grant is for.  There is nothing that helps a client to determine that the token endpoint it is about to use is valid.  IOW. The client could have the correct “iss” and “client_id” from the AS authorization endpoint, but it thinks it is supposed to pass the grant to token.evil.com instead of token.example.com to redeem it.

Phil

@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>





> On Mar 18, 2016, at 4:01 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> 
> The Mitigation we agreed on for the bad token endpoint is returning the issuer and client_id form the authorization endpoint.
> 
> Phil are you saying that you no longer agree with that? 
> 
> The question that was unresolved was how the client would get a bad resource URI, and what the correct mitigation is if any.
> 
> John B.
> 
> 
>> On Mar 18, 2016, at 7:52 PM, Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>> 
>> By convincing the client to use a bad URL.  That’s kinda why we’re worried about bad discovery no?
>> 
>> Depending on the type of client authentication, the client will establish a valid connection to the hacker’s proxy which then replays the token request to the real endpoint.  The hacker now has the token.
>> 
>> Same thing for the resource endpoint - except worse. The hacker doesn’t need the token as they now see the payload.
>> 
>> Phil
>> 
>> @independentid
>> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>> 
>> 
>> 
>> 
>> 
>>> On Mar 18, 2016, at 3:38 PM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>>> 
>>> How does one Mitm the token endpoint?
>>> 
>>> On Fri, Mar 18, 2016 at 4:27 PM, Phil Hunt (IDM) <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>>> There are two variations. 
>>> 
>>> Mitm the token endpoint is different then working one legit token endpoint against another thru redirect and state misdirection. 
>>> 
>>> In the mitm version you don't need multiple AS's.
>>> 
>>> Phil
>>> 
>>> On Mar 18, 2016, at 15:04, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>>> 
>>>> The "a. wrong AS /token endpoint" is the mix-up issue, which can be mitigated by returning an identifier for the AS in the authorization response. It is something that needs to be addressed but "discovery" or metadata aren't needed and audience restricted access tokens tokens don't help.
>>>> 
>>>> Maybe that's obvious but there seems to be a lot of confusion on all this so I wanted to reiterate it.
>>>> 
>>>> On Thu, Mar 17, 2016 at 11:37 AM, George Fletcher <gffletch@aol.com <mailto:gffletch@aol.com>> wrote:
>>>> Goals:
>>>> 
>>>> 1. Help the client not send a token to the "wrong" endpoint
>>>>    a. wrong AS /token endpoint
>>>>    b. evil RS endpoint(s)
>>>> 2. Allow good RS to determine if the token being validated was intended for that RS
>>>> 
>>>> Other high-level goals?
>>>> 
>>>> Use cases:
>>>> 
>>>> 1. RS that supports multiple AS (we've had this in production since 2011)
>>>> 2. RS rejects token not issued for use at the RS
>>>> 3. Client that dynamically supports new RS (say any client that supports the jabber API)
>>>> 4. Client that dynamically supports new AS
>>>> 
>>>> Feel free to add to the list :)
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email