Re: [OAUTH-WG] OAuth2 security considerations for client_id

William Mills <wmills@yahoo-inc.com> Fri, 06 January 2012 17:34 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B6D721F873C for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 09:34:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mb2ysbI-hM7k for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 09:34:37 -0800 (PST)
Received: from nm23.bullet.mail.ac4.yahoo.com (nm23.bullet.mail.ac4.yahoo.com [98.139.52.220]) by ietfa.amsl.com (Postfix) with SMTP id 74F3821F86F9 for <oauth@ietf.org>; Fri, 6 Jan 2012 09:34:36 -0800 (PST)
Received: from [98.139.52.189] by nm23.bullet.mail.ac4.yahoo.com with NNFMP; 06 Jan 2012 17:34:30 -0000
Received: from [98.139.52.177] by tm2.bullet.mail.ac4.yahoo.com with NNFMP; 06 Jan 2012 17:34:29 -0000
Received: from [127.0.0.1] by omp1060.mail.ac4.yahoo.com with NNFMP; 06 Jan 2012 17:34:29 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 984899.85095.bm@omp1060.mail.ac4.yahoo.com
Received: (qmail 64336 invoked by uid 60001); 6 Jan 2012 17:34:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1325871269; bh=pP9FL8Ach89YWfCirdG9YtZL5+P0epajFPaTAIDcWiU=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=mL/kMEvusVvdzAoicoC80ZRE9iPGMngMzy3e7sxUK/06ee+n693tchi9/l5J0o/xvqk9Bwt7ruGy08Qzn9B7R4B9djNV18N6Co4U8QRQBAsUhhioP3+yZLw3HGoGjTPz+gF2LIRVAY0rGv79hTarME8k/EFB9Y6LpqfVSe5IOf8=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=IAz8zY48l4YmOiUKxNis9G031P8FIpbf4zzam7nEr3H8RBl4bUr5XM+d2BZctJoecn3O6sZS9f94HNmSGldbN5+tk5jDIdf6D4TS1/eXmK+pNuwffh3KPohX6/JnIMo8kWzvMQZZcWU9Eau0VNi/oVmvSFp8up6Z7gBzV+QZeUY=;
X-YMail-OSG: .OYlgyMVM1n_XabHW8mwNeszcYcYybo.EDyiFEtqhl0Kkbt Xrhu3MqFbzLAyskm274sKivij8qYLi9IrmlZjP6dLan9UU9Y7UfEx0Y9tKA0 tRz4CWQtOta3ewTZU9yxplReD0rcg7HrzzV7h3MF3ThyBwFpHxhSJyIiPqcd rvClKDImD56nMLBHAKNyvtnlTtwhm_XmVRCkIKSbAuVpjK4KKDSNjU.NMZm7 KTRXY6qaUVSbfueRQH.zLI43ENxAbGGs6FE7O7sSPbyfCYuC7MP.phzp0RmR IQ7WHvFsBsFZB.M.EgbaHXwJs2ccu9ZD4I2koeKw2bkgjyaAM5t3ZiVPH_1g N3K8mEM87wn47SRg0CbZTXtwYOWPgQ7ba_sUARWOuTVQ624q8ixDRSC_InE2 sHKsb8KdJAvs9a1JmU0ORkLuOu2TLe.saV4vT
Received: from [67.72.118.219] by web31809.mail.mud.yahoo.com via HTTP; Fri, 06 Jan 2012 09:34:28 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.116.331537
References: <CACHRFsBNqUgXPxgFth-zHL=tvkVHy=OCXK2tcQ6hC273eoJ9EQ@mail.gmail.com> <0f4aff4b-9fcc-4077-9fca-a068ebf97dd4@email.android.com>
Message-ID: <1325871268.64118.YahooMailNeo@web31809.mail.mud.yahoo.com>
Date: Fri, 06 Jan 2012 09:34:28 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Karim <medkarim.esskalli@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <0f4aff4b-9fcc-4077-9fca-a068ebf97dd4@email.android.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1395015409-1758934852-1325871268=:64118"
Subject: Re: [OAUTH-WG] OAuth2 security considerations for client_id
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2012 17:34:38 -0000

Yeah, certainly for Mobile clients this is true.  There are classes of clients (server to server implementations notably) where clientID can be a proper secret and be usefule for client validation.



________________________________
 From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: Karim <medkarim.esskalli@gmail.com>; oauth@ietf.org 
Sent: Friday, January 6, 2012 5:21 AM
Subject: Re: [OAUTH-WG] OAuth2 security considerations for client_id
 

Hi,

your observation is correct. OAuth security considerations recommend not to rely on secrets for authenticating mobile apps (aka native apps) but to manage them as so-called public clients. Please take a look onto section 10 of the core spec for further details.

regards,
Torsten.




Karim <medkarim.esskalli@gmail.com> schrieb:
Hello,
>
>
>When using User-agent flow with OAuth2 for mobile platform, there is no way for Authorization server to authenticate the client_id of the application.
>
>
>So, anyone can impersonate my app by copying the client_id (and so get all access tokens on my behalf), and this is applicable to Facebook, Foursquare,...
>
>
>This is not managed by OAuth2 ? Or I missed something ?
>
>
>For Web applications (Web server flow), access token is stored on the server side, and the client is authenticated using secret key.
>
>-- 
>Karim
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth