IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth services/libraries wanted for security evaluation...

Garret Fick <garret@ficksworkshop.com> Mon, 22 June 2020 14:52 UTC

Return-Path: <garret@ficksworkshop.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 348483A0D90 for <oauth@ietfa.amsl.com>; Mon, 22 Jun 2020 07:52:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.696
X-Spam-Level:
X-Spam-Status: No, score=-1.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=ficksworkshop.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRqEoNNL2w7k for <oauth@ietfa.amsl.com>; Mon, 22 Jun 2020 07:52:08 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 698823A0D8C for <oauth@ietf.org>; Mon, 22 Jun 2020 07:52:08 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id l17so15681466qki.9 for <oauth@ietf.org>; Mon, 22 Jun 2020 07:52:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ficksworkshop.com; s=google-ficksworkshop; h=from:to:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :mime-version; bh=EPDP5dH9gzuv9DyH6Wim7QscQUA9iX1AuZ2HomlzwBk=; b=FAjdFCz8cFrgZjRi+Ymr+y6SVzBjOQQC0yQbx6t+l8EqgSYr2QFyw8Ri6E1oKnk1sY YJCQY14uEjnIlpcOuWU+6JkelZcrJOs3VQe8pLuLr1Dkm2g9dS7XM5OCeQiZw7cDblVi vF3O44WJAj43TOmTEQXzv4GfZIxmR2Ohm+Ne+ss8gYWXAuXKErxSPMQh8wolIYfy6j/X D9wp0wNXUoOmQEHZS2gIEIb8PjTYVRCdrY+w/opaK8swL2j3I6S/Nx2xk8rULduj6SeW 3nA+vttqTDSXQAoxO+jVZwLGpp2e7gDoBMJLDsRaVN5SHzZOZRq+4uDQseKSP6LLuD9v LpCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:references:in-reply-to:accept-language:content-language :mime-version; bh=EPDP5dH9gzuv9DyH6Wim7QscQUA9iX1AuZ2HomlzwBk=; b=mFzJ61gylEQkNGWlNcRXZKb6FPaJV690QL3aXuYYHvKe2rFRbCPR7nSKtTU/3WjaA6 B4yzsQ0HhYe2AsE9jB47lElRELwGipww3X+k6VUp5PqPcoyhbh1gUEFdGPNM7mEcw+jK SihzW/SnsGXiM8OTyIS4j89JEXbGh+ILY1S/Y6QZH/PznTD3yjFnAyfusDgCJdUJT48W OFGHy3hBEcG+5DcHEUTrw18shhOQxnwfdi6pfKhw96IsiYYJkt9Bhg30HwL1AFW4fVOs OW9JblbPEEi9IZoJ3AsKSKPvZOdLzcDrXxuoi+JGGGlhsMip6HTOv7hWTEoEHx/2D3i5 k1+w==
X-Gm-Message-State: AOAM532+F/qTiIdSgLsSj+bH525pFQW+C6ATbkcEqbe6W7d9z+n7xaOO tyhTLAdHuN+HUnqsj6NjlNBJy4zHXeY=
X-Google-Smtp-Source: ABdhPJwQTH/7B0XMFchxEJzL233oPLAcK/ZybzgIQBHUgSH9YXCAAmIwiYiCHD3he9nzhDQxcAWmCA==
X-Received: by 2002:ae9:c00d:: with SMTP id u13mr16477969qkk.434.1592837526964; Mon, 22 Jun 2020 07:52:06 -0700 (PDT)
Received: from MN2PR18MB3445.namprd18.prod.outlook.com ([2603:1036:302:417f::5]) by smtp.gmail.com with ESMTPSA id x144sm3705986qkb.93.2020.06.22.07.52.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Jun 2020 07:52:06 -0700 (PDT)
From: Garret Fick <garret@ficksworkshop.com>
To: "oauth@ietf.org" <oauth@ietf.org>, Pieter Philippaerts <pieter.philippaerts@kuleuven.be>
Thread-Topic: OAuth services/libraries wanted for security evaluation...
Thread-Index: ATcyNjMzZP7CgsRuN/OBtg4Devk2MTBFNzQz
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Mon, 22 Jun 2020 14:52:05 +0000
Message-ID: <MN2PR18MB344554A4ECFD677AC0CD7EF1AB970@MN2PR18MB3445.namprd18.prod.outlook.com>
References: <1592833863766.52147@kuleuven.be>
In-Reply-To: <1592833863766.52147@kuleuven.be>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_MN2PR18MB344554A4ECFD677AC0CD7EF1AB970MN2PR18MB3445namp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jD2YHQnrAwj9KBBhyX_Wsk9XTY4>
Subject: Re: [OAUTH-WG] OAuth services/libraries wanted for security evaluation...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2020 14:52:10 -0000

Hi Pieter,

I am responsible for a very large private OAuth2 and OIDC implementation. I would be highly interested in learning more about your tool if it is available as code.

Garret
________________________________
From: OAuth <oauth-bounces@ietf.org> on behalf of Pieter Philippaerts <pieter.philippaerts@kuleuven.be>
Sent: Monday, June 22, 2020 9:51:04 AM
To: oauth@ietf.org <oauth@ietf.org>
Subject: [OAUTH-WG] OAuth services/libraries wanted for security evaluation...

Hello everyone,

As part of a research project, I've created a test suite to test OAuth 2.0 implementations and measure how well they implement the various MAY/SHOULD/MUST security recommendations in the OAuth standards. (It also includes test cases for the OIDC and FAPI RO/RW recommendations.) The tool is practically finished and will be made available to the public in a few months.

I'm currently working on a security analysis of the OAuth2 ecosystem (i.e. I'm using the tool to test various OAuth/OIDC implementations) and I'm still looking for more candidates to test. If you are the author of an OAuth library or if you are running an OAuth service, feel free to contact me to get involved. Apart from my gratitude, I can offer you a free security audit of your product :-)

Regards,
Pieter

v2.23.0 | Report a Bug | By Email