IETF Logo Mail Archive

Re: [OAUTH-WG] Securing APIs with OAuth 2.0

Sergey Beryozkin <sberyozkin@gmail.com> Mon, 05 March 2012 17:35 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D66A21F87BD for <oauth@ietfa.amsl.com>; Mon, 5 Mar 2012 09:35:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LGoUExb5s1Ms for <oauth@ietfa.amsl.com>; Mon, 5 Mar 2012 09:35:21 -0800 (PST)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id C77BD21F8770 for <oauth@ietf.org>; Mon, 5 Mar 2012 09:35:20 -0800 (PST)
Received: by bkuw5 with SMTP id w5so4001533bku.31 for <oauth@ietf.org>; Mon, 05 Mar 2012 09:35:19 -0800 (PST)
Received-SPF: pass (google.com: domain of sberyozkin@gmail.com designates 10.204.173.11 as permitted sender) client-ip=10.204.173.11;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of sberyozkin@gmail.com designates 10.204.173.11 as permitted sender) smtp.mail=sberyozkin@gmail.com; dkim=pass header.i=sberyozkin@gmail.com
Received: from mr.google.com ([10.204.173.11]) by 10.204.173.11 with SMTP id n11mr11087134bkz.120.1330968919976 (num_hops = 1); Mon, 05 Mar 2012 09:35:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qG1I6gKJuVm6SLC7hjfhcz3BB9UbpAIpoRmme/JkdqQ=; b=GEaeo2Bpzrm/J2qL7MG7XxSgiVHcp7WiMFihGzK64CnsDpzfJ7RYvr0LfoO61tf6nN V8cBStsqznssyqvMMU9di9YCD12cYhNwcGhp+/dG6pxHLo9rO4B2w41AJgS0QXyUiCJO eo6YQ6O0AcvG4mEifH0htqXhIWW1zH3aaE9YplAeFc70vnJ81ybRMcTnZ2cumx1pLqsP 4WGA/7VYfkUEVYeo5geEtKbvSjEQmr+e7KXwmIEN1LuRMAI54beaXH3OeSIWPup9l1aR QL6VU8SKTmjQIdpXCyoZ30/FvzXzVnYC0VLl1IW6UySZLRSGfXKbdGz7V/OCRBiKXtnM 697A==
MIME-Version: 1.0
Received: by 10.204.173.11 with SMTP id n11mr8767057bkz.120.1330968919784; Mon, 05 Mar 2012 09:35:19 -0800 (PST)
Received: by 10.204.175.141 with HTTP; Mon, 5 Mar 2012 09:35:19 -0800 (PST)
In-Reply-To: <4F54CA3A.8020502@mitre.org>
References: <B691F720-809F-4A9E-8C8E-6BF98EE68F07@appmuscle.com> <OF00AD6E13.25AA51DD-ON4A2579B4.00101F47-882579B4.00106E50@au1.ibm.com> <CAEwGkqD-1AkQHv47XVpA31NiQ2uTrTvptS0Pp0NqnL9LkvTcZw@mail.gmail.com> <4F54ABDB.1050702@gmail.com> <4F54CA3A.8020502@mitre.org>
Date: Mon, 05 Mar 2012 17:35:19 +0000
Message-ID: <CAOtGrG+5BM_JnsUUTxDJj7whfjXu3qo5Yg_zsA3ssfo+L8HH7w@mail.gmail.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
To: Justin Richer <jricher@mitre.org>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Securing APIs with OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2012 17:35:22 -0000

On 05/03/12 14:14, Justin Richer wrote:
>
>>>
>>> Shane is right; the way you described your problem, the client
>>> credential grant type may be appropriate. That's especially true if
>>> the client will be accessing resources that don't necessarily belong
>>> to specific users. But if the client (web site) will be using the API
>>> (OAuth auth/resource server) to access user-specific resources, then
>>> the authorization code grant type is a better fit. It doesn't matter
>>> that the OAuth server trusts the client without needing user
>>> authorization.
>>>
>>> The authorization code flow offers a solution for user identification
>>> that is absent in the client credential flow. In other words, even
>>> though the OAuth server trusts the client and will comply with all API
>>> requests, how is the client x supposed to identify a user so it can
>>> request the right resource from the resource server?
>>>
>>> By using an authorization code grant, the client can acquire an access
>>> token that is bound to a specific user. This is makes the
>>> authorization code flow suitable for single sign-on implementations,
>>> whereas the client credential flow is not appropriate for user
>>> authentication.
>>>
>>> Don't worry about the fact that the client does not need to be
>>> authorized by the user. You can still use the authorization code flow,
>>> and the authorization server will not need to prompt the user for
>>> authorization because you will have pre-authorized the client for all
>>> users.
>>>
>>
>> Can the authorization server return a (pre-authorized) token
>> immediately in this case, despite the fact the client is specifying
>> "response_type=code" ?
> No -- the server MUST return an authorization code, even if there is no
> interaction beyond the user logging in (which may be SSO and therefore
> "invisible" to users). This code is bound to the user session and the
> client ID, and it needs to be presented in the back channel with the
> client's ID and secret, away from the user session. These two steps are
> what close the client-server-user triangle in a secure way so that no
> party knows more than they really need to. The Client Credentials flow
> and the Implicit flow collapse this triangle into a line in two
> different ways, both for different use cases and both have their
> tradeoffs. So if you want to get an access token from the authz endpoint
> directly, you use the implicit flow. It puts all of the weight onto the
> user agent, which sounds like the opposite of what you actually want to
> do here.

OK

>
>> If the authorization code, to be exchanged later for this token, has
>> to be returned, how reasonable is it to expect that the authorization
>> code will be bound to the pre-authorized access token (example, the
>> access token's key/id will be returned as the authorization code) ?
>>
>> I suspect it may not be a good idea given the spec is saying the
>> authorization code should be short-lived, thus the codes and actual
>> tokens will have different life-cycles, however the fact the end user
>> has pre-authorized the client adds some uncertainty to it...
>
> Again, no -- the code shouldn't have anything in it that ties it to the
> access token directly. If it did, then anybody intercepting just the
> code on the wire could guess the access token, which would make the auth
> code a pointless abstraction. The best way to deploy the authz code is
> to have a short, random, opaque blob that is one-time use and expires
> after a set amount of time, probably fairly short (on the order of
> minutes in most cases). Think of it as a one-time-password that is
> generated for the resource owner to give to the client on their behalf.
> Since it's a credential known to both the user agent and the client, you
> really, really don't want it to be copied from any other part of the flow.
>

OK.

Thanks for the explanations so far. It's very helpful.

I'm prototyping the framework support for OAuth 2.0 and at this stage
I'm trying to figure out what exactly the runtime itself can do and what
has to be delegated to the custom code and thus how to design the api
the runtime and the custom code will use to communicate with each other.

Let me ask one more question, sorry if it's a silly one :-)

So suppose a given client has been pre-authorized by the end user.
Next, the client can get the pre-authorized token via the authorization
code flow or the implicit code flow (ignoring the client_credentials one
for the moment).

Does it make sense to restrict which flow a given pre-authorized token
can 'work' with ? Example, enforce that the pre-authorized token can
only be issued to the clients initiating an authorization code flow but
not to those trying an implicit one, or vice versa ?

The reason I ask is that I'm thinking that the entity representing an
access token should have a property indicating which grant type was used
for this token being created in the first place. So if such a token
were to represent the user pre-authorizing the client
and then eventually given to a client via the authorization code or
implicit code flow, then this token would actually need to
be cloned each time for a specific grant type property be set, and
this does not look optimal...

Cheers, Sergey


> -- Justin
>
>
>> thanks, Sergey
>>
>>> As an added bonus, this sets you up perfectly for when you add new
>>> clients which are not pre-authorized and need user authorization.
>>>
>>> I hope that helps.
>>>
>>> Regards,
>>> Andre DeMarre
>>>
>>> On Wed, Feb 29, 2012 at 6:59 PM, Shane B Weeden<sweeden@au1.ibm.com>
>>> wrote:
>>>> 1. Yes, client credentials sounds right for what you described.
>>>> Think of it
>>>> as lightweight b2b authentication in that sense (but two steps - one
>>>> to get
>>>> a token, and another to use it).
>>>> 2. Can't help you with source - but do have a product-based solution :)
>>>> 3. Absolutely it should for the resource server, but the answer may
>>>> depend
>>>> have same dependency on the implementation you use.
>>>>
>>>> Regards,
>>>> Shane.
>>>>
>>>>
>>>>
>>>> From: Pete Clark<pete@appmuscle.com>
>>>> To: "oauth@ietf.org"<oauth@ietf.org>
>>>> Date: 29/02/2012 06:50 PM
>>>> Subject: [OAUTH-WG] Securing APIs with OAuth 2.0
>>>> Sent by: oauth-bounces@ietf.org
>>>>
>>>>
>>>>
>>>> Hey all, I've joined the list because I'd like to use OAuth 2 to
>>>> implement
>>>> security for a new set of REST APIs I'm developing for a client. I'm
>>>> coding with PHP, but my questions are more general. Right now, there
>>>> will
>>>> be only one web site that uses the APIs, in a server-to-server
>>>> fashion, and
>>>> currently we don't have a need for a third party application to gain
>>>> access
>>>> to user data, such that a user would need to authorize that app. We do,
>>>> however, want to have that ability down the road. My question is, can I
>>>> still use OAuth 2 in some way to implement our first phase? From
>>>> what I've
>>>> read, it seems like the "client credentials" flow is the one I want
>>>> to use
>>>> for now. Can someone:
>>>>
>>>> 1) Confirm that that's what I should use for this first phase?
>>>> 2) Point me to an implementation of this flow (in any language) that I
>>>> could use or port to PHP? I've found some libraries for php but can't
>>>> really tell, being new, if they offer the "client credentials" flow
>>>> 3) Answer one more question.. Will using the client credentials flow
>>>> now
>>>> allow me to move to one of the user-authorizes-external-app flows
>>>> down the
>>>> road without having to reimplement or throw away the client credentials
>>>> flow code?
>>>>
>>>> I apologize for all the questions, but these would really help point
>>>> me in
>>>> the right direction.. Thank you for reading!
>>>>
>>>> Sincerely,
>>>> Pete
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email