Re: [OAUTH-WG] specification of authorization code properties

Torsten Lodderstedt <> Thu, 30 September 2010 07:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A450E3A6E32 for <>; Thu, 30 Sep 2010 00:17:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.757
X-Spam-Status: No, score=-0.757 tagged_above=-999 required=5 tests=[AWL=0.096, BAYES_00=-2.599, HELO_EQ_DE=0.35, MIME_QP_LONG_LINE=1.396]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id n9xpi5w7aCk1 for <>; Thu, 30 Sep 2010 00:17:19 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 89E793A6DBD for <>; Thu, 30 Sep 2010 00:15:36 -0700 (PDT)
Received: from [] (helo=[]) by with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <>) id 1P1DNL-0008G3-Hv; Thu, 30 Sep 2010 09:16:20 +0200
References: <90C41DD21FB7C64BB94121FBBC2E72343D460DB9A2@P3PW5EX1MB01.EX1.SECURESERVER.NET> <>
In-Reply-To: <>
Mime-Version: 1.0 (iPhone Mail 8B117)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-Id: <>
X-Mailer: iPhone Mail (8B117)
From: Torsten Lodderstedt <>
Date: Thu, 30 Sep 2010 09:15:32 +0200
X-Df-Sender: 141509
Cc: "OAuth WG (" <>
Subject: Re: [OAUTH-WG] specification of authorization code properties
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Sep 2010 07:17:20 -0000

Thank you for your advice. The Oauth security considerations are not finished yet. They will handle the issues you raised, too. 


Am 30.09.2010 um 01:33 schrieb PRATEEK MISHRA <>:

> I read through v10 from the perspective of an implementor, and it seemed to me that properties of generated authorization code and its treatment by various entities need to be called out explicitly as a counter-measure against various simple attacks.
> I would also comment that the exchanges between the end-user, client and authorization endpoints, beginning with the issuance of an authorization code (in SAML 2.0 called a browser artifact) and terminating with the client obtaining an access token (in SAML 2.0 the RP obtaining a SAML assertion) essentially follow the SAML web browser artifact profile and are therefore open to all of the attacks that the SSTC considered for this protocol.
> 1) For example, given the current description it seems that perfectly reasonable for an end-user authorization endpoint to generate a sequence of increasing integers as an authorization code or always return a constant value for a request with a given (client_id, redirection_uri) pair of inputs. So this leads to the possibility of an adversary using some simple techniques to guess valid authorization codes and obtain an access token.
> 2) There is a need to articulate some of the minimum properties that an authorization code should possess. I understand that there is an attempt here to give maximum choice to implementors.
> For example, the SAML 2.0 artifact format description includes the following language -
> [quote]
> The MessageHandle value is constructed from a cryptographically strong random or
> pseudorandom number sequence [RFC1750] generated by the issuer. The sequence consists of
> values of at least 16 bytes in size.
> [\quote]
> 3) I am also puzzled by the discrepancy between the language used to describe the generation and use of an authorization code -
> [quote - generation - p.18]
> The authorization code
> SHOULD expire shortly after it is issued. The authorization
> server MUST invalidate the authorization code after a single
> usage. The authorization code is bound to the client
> identifier and redirection URI.
> [\quote]
> VS
> [quote - use - p.23]
> The authorization server MUST:
> o Validate the client credentials (if present) and ensure they match
> the authorization code.
> o Verify that the authorization code and redirection URI are all
> valid and match its stored association.
> [\quote]
> I dont understand how the authorization code is related to the client credentials, or what is meant by "valid" or the reference
> to "stored association". Is there an assumption that authorization server has a stateful table of (authorization code, client id, redirection uri) values?
> Shouldnt this test be limited to checking whether the authorization code is being used with the correct client identifier and redirection URI?
> _______________________________________________
> OAuth mailing list