IETF Logo Mail Archive

Re: [OAUTH-WG] Indicating sites where a token is valid

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 07 May 2010 10:18 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B5A463A6AF2 for <oauth@core3.amsl.com>; Fri, 7 May 2010 03:18:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.949
X-Spam-Level:
X-Spam-Status: No, score=-0.949 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OxBIrVStIJ0D for <oauth@core3.amsl.com>; Fri, 7 May 2010 03:18:26 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.29]) by core3.amsl.com (Postfix) with ESMTP id F0E853A6AE2 for <oauth@ietf.org>; Fri, 7 May 2010 03:18:17 -0700 (PDT)
Received: from [213.216.10.66] (helo=[127.0.0.1]) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OAKd1-0000KB-P0; Fri, 07 May 2010 12:17:55 +0200
Message-ID: <4BE3E8B4.9020909@lodderstedt.net>
Date: Fri, 07 May 2010 12:17:24 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: "Manger, James H" <James.H.Manger@team.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <q2hfd6741651005062105y46152452x370fac0dd12d55c6@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112631B24FC@WSMSG3153V.srv.dir.telstra.com> <4BE3A5DC.5030601@lodderstedt.net> <255B9BB34FB7D647A506DC292726F6E112631B26DE@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E112631B26DE@WSMSG3153V.srv.dir.telstra.com>
Content-Type: multipart/alternative; boundary="------------040401090100090107090605"
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Indicating sites where a token is valid
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2010 10:18:27 -0000

Am 07.05.2010 08:14, schrieb Manger, James H:
>
> > what about an additional realm response value?
>
> My original 
> suggestion(http://www.ietf.org/mail-archive/web/oauth/current/msg01920.html) 
> had a “realm” in addition to “sites”. I still think that should be 
> present (though more to match the HTTP auth model (RFC2617) than an 
> expectation that it will be used by most services).
>
> > If there is a binding between realm and token, the client can decide 
> based on the realm attribute discovered using a WWW-Authenticate 
> response which token to use.
>
> “realm” is not sufficient, however. A “realm” doesn’t stop you sending 
> a token to a bad site. Even if an app makes and unauthenticated call 
> first, there is nothing to stop the bad site responding with a 
> WWW-Auth header with the right “realm” value so the client app will 
> reveal the token.
>
> -- 
>
> James Manger
>

I didn't have that threat on my radar screen so far, thank you for your 
advice.

Let me describe what I understood so far from this thread and your 
previous posting. I see two different scenarios:

1) Resource server controls token sites (context of the realm attribute)

The realm returned in a WWW-Authenticate header is by default valid 
within the resource servers site (scheme + host-Part of the URL?) only. 
This way, a bad site cannot automatically get access to tokens intended 
for other sites just by spoofing  the realm attribute. Using an 
additional "sites"-attribute in the WWW-Authenticate-Header, the 
resource server could indicate on which sites the given realm is 
considered equivalent. This broadens the context a realm is valid in. It 
is the resource server which authorizes the usage of tokens on other 
sites by the client. If the clients encounters the same realm on a site 
listed in "sites", it is authorized to automatically use the token there.

2) Authorization server controls token sites (context of token)

If I interpret your current proposal correctly, you suggest the 
authorization server may determine on which sites a particular token can 
be used. That way, the authorization server explicitly authorizes usage 
of tokens based on the trusted relationship between resource server and 
authorization server. This is an interesting proposal since it could be 
used to prevent any bad site from token abuse and unauthorized access to 
private user data. The later is especially relevant if unencrypted, 
self-contained bearer tokens are used.

Attack scenario:
Assumption: User X has an account with site "https://www.example.com" 
where he stores his private data
1) The users intends to configure its mobile OAuth client for access to 
"https://www.example.com", but unfortunately uses the wrong URL 
"https://www.bad_example.com" obtained from an attackers e-Mail
2) "http://www.bad_example.com" respondes with the authorization URL of 
the OAuth server of "https://www.example.com"
3) The user authorizes access for "https://www.example.com" (or at least 
believes to do so)
4) The client acquires an access token from the authorization server
5) The mobile client access "https://www.bad_example.com" using that 
access token
6) "https://www.bad_example.com" proxies the request to 
"https://www.example.com", so neither the user nor the service realize 
the problem

I see the following ways how "https://www.bad_example.com" could abuse 
the token:
a) It can access the users private data on "https://www.example.com" or 
deposite illegal files (file sharing).
b) It can read the private user data contained in the token

If we follow your proposal, the authorization server would respond with 
a response value of "sites": ["https://www.example.com"] in step (4). 
The client would detect the attack attempt and refuse to send any 
request with the token to "https://www.bad_example.com".

In my opinion, (1) improves security and eases the practicability of 
OAuth2 in scenarios with multiple sites and (2) is a significant 
security improvement. I think, both scenarios should be addressed by the WG.

Any thoughts?

regards,
Torsten.

v2.23.0 | Report a Bug | By Email