Re: [OAUTH-WG] oauth-meta: turi allows user to mislead app

John Bradley <> Thu, 28 January 2016 17:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 617E91A9005 for <>; Thu, 28 Jan 2016 09:45:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_35=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oCUodkw7qPHk for <>; Thu, 28 Jan 2016 09:45:17 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6DD271A8FD6 for <>; Thu, 28 Jan 2016 09:45:17 -0800 (PST)
Received: by with SMTP id 6so45070803qgy.1 for <>; Thu, 28 Jan 2016 09:45:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=SKIHeY7V7zBazoWK/PE6oXUwShtQhSlyqOKOcnkD8ro=; b=xH0C+4NkG2Mcg4wzTQl9sF1/TJsP5RnFgu1VOG3n70OtHzZ/gMWUjk1TYjnerf1rvP z1XQvt3yBA4GnDaOfZZMQTADQPTLrYB1ZQ7UNYRkvH43remLQDnPnHKvcKgxomi/aD0i t4EjhUm3Vb8QV9JCQv3K2SzHV+9qb6bCiHkAJmDD9mR+7wTDJTEfjclm0Gzzhj3Jcr71 /tYZnNlhXfW1K3cqzNYEW72LOemcwMIynwIB7SuMmysJtaJAjF01fluQJrmJU4onfYaD xEQvxTanFsBIy8outRoejuvRgXtLUQzxOutO7D2wcQLyu6qsSV+XxECOlzBCLTxHFust p1mA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=SKIHeY7V7zBazoWK/PE6oXUwShtQhSlyqOKOcnkD8ro=; b=YjbC7xm/5+HSN9Z1qjsgU3m45KNLNjaUI2qsxjItOlcOkJxBYk6gCzjqaISuzJutOM tN/AcxFmoLwApKQvgr+PVHz/lwk0kG3v4JUoXgRljbi5cKSbFvVHfSgEG8BkLImRPXfm wDcks6ML0Pc1YJGSBJaoUSSCx2rQ/8fItwPUNAFPVPSLLbEcbNGYz6Lk7+vin0OT6Q8j 868bgK2oKNVXOV1nj165GWNcRMcwoIpSKLk71dJ1BXapcOMIHe9+6f3p2X8PHvd/c1v0 Bw9B/98TTwl1ZpkoOhHfuUtkUqfiTqfx4Shht4y6NHlKUX+hipIOhdW1UQ0juRh05bx3 //Zw==
X-Gm-Message-State: AG10YORi3XRcMZO9+BE7eTRhxgc5caomU8uYJkJ062qFoAuocMkS3tNe7hzgBnX68BW/eQ==
X-Received: by with SMTP id k76mr5586155qhc.87.1454003116415; Thu, 28 Jan 2016 09:45:16 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id r2sm4299453qki.17.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 28 Jan 2016 09:45:15 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_55032834-A5F4-4CAB-94FE-890CF4FA3B6C"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <>
In-Reply-To: <>
Date: Thu, 28 Jan 2016 14:45:09 -0300
Message-Id: <>
References: <> <056601d15980$a996bfd0$fcc43f70$> <>
To: "Manger, James" <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] oauth-meta: turi allows user to mislead app
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Jan 2016 17:45:20 -0000

In Draft draft-jones-oauth-mix-up-mitigation-01 the iss in the response is compared to the iss that the request was made to, and if they are different it is an error.  

Discovery is done only during registration.  

This is a point Mike and I have some disagreement on.   He would like to do late binding of the issuer and do discovery on the returned issuer to support multi tenant.

I think late binding introduces many issues most importantly enabling the easy theft of symmetric client credentials.

The string compared could just be a string like a SAML EntityID, and that works as long as clients limit themselves to only one client_id per iss string. 
The reason it has to be only one is that you could have a bad guy claiming to have the same iss as another AS.

Without checking the integrity of the Authorization URI and token endpoint URI then you leave yourself open to attack with multiple client_id with the same iss.

In the discovery step iss x points to Authorization endpoint x and token endpoint X if you send a request to auth X  of iss X and it says my iss is X then you are sage to send code to the token endpoint of iss X.

A uer tampering with iss just breaks the flow and results in an error.  They could change it to another valid iss for the client but then the client state sent it to X and got it back from Y would cause a error.

I agree that it is important that clients understand that the endpoint configuration step is separate from the authorization flow, and the iss in the authorization response is an identifier only.   (Yes one that can be validated by discovery separately) 

Having the client compare the iss and client strings that it used for the request with the response and throwing an error if they are different still seems like the simplest solution to me.

That unfortunately means limiting the client to one client_id per iss without discovery.

John B.

> On Jan 28, 2016, at 3:16 AM, Manger, James <> wrote:
> Even if theoretically secure, I don’t think it is a good idea to send turi and require the client app to confirm it matches (or send duri and match issuer+well-known…). It will be too tempting to client apps to just use the turi/duri value.
> draft-jones-oauth-mix-up-mitigation-01 is slightly better in sending an "iss" id to match, instead of a web address to follow. However, "iss" is actually a URI and is defined as the basis for discovery. If an app did discovery based on "iss" from the redirect it would be insecure. So I think apps using different redirect URIs for different ASs is a better idea (which happens to be the fix suggested in the paper on the “IdP Mix-Up” attack).
> If we have to send something that another party should match, but not otherwise use, it might be better to send a hash instead of the actual value. That feel much harder for apps or servers to accidentally misuse insecurely.
> --
> James Manger
> From: Nat Sakimura [] 
> Sent: Thursday, 28 January 2016 3:02 PM
> To: Manger, James <>;
> Subject: RE: [OAUTH-WG] oauth-meta: turi allows user to mislead app
> Hi James,  <>
> Right. I thought of the man-in-the-browser case and was originally thinking of sending them in signed JWT(state,c_hash,a_hash,turi,ruri,duri,…) or sending HMAC(sha256, state+code+turi+ruri, client_secret) together but subsequently dropped the idea as anything is broken in the man-in-the-browser case. The bad user case did not occur to me then. I should not have dropped the idea. Incidentally, this probably fixes the cut-n-paste attack as well. For OpenID Connect, it amounts to returning these parameters in ID Token in the front channel. As you can expect, this is my preferred way. 
> If we do not want any crypto, then there has to be additional checks. 
> In case of duri, mandating the client to check that the duri = issuer + .well-known/openid-configuration. 
> For turi, it has to match one of the entry listed in the discovery document or or pre-set configuration. The same applies for ruri. 
> We probably want to have a cut-n-paste attack control in place as well. 
> For the token endpoint response that does not go through user browser, it should be ok to accept it as true. 
> --
> PLEASE READ :This e-mail is confidential and intended for the
> named recipient only. If you are not an intended recipient,
> please notify the sender  and delete this e-mail.
> From: OAuth [ <>] On Behalf Of Manger, James
> Sent: Thursday, January 28, 2016 11:38 AM
> To: <>
> Subject: [OAUTH-WG] oauth-meta: turi allows user to mislead app
> The OAuth-Meta draft <draft-sakimura-oauth-meta-05> returns the token endpoint (in a "turi" query parameter) when redirecting a user from the authorization endpoint back to an app. The app presumably then POSTs the "code" (also in the redirect) to "turi" to get an access token. However, apps typically send their client_secret to the token endpoint to authenticate. Sending a client_secret to a URI that came from a user is insecure.
> A RESTful OAuth would be a great improvement, but it doesn’t look like providing the token endpoint (nor discovery endpoint) in a redirect is the right approach.
> --
> James Manger
> _______________________________________________
> OAuth mailing list