Re: [OAUTH-WG] Auth Code Swap Attack

"William J. Mills" <> Mon, 15 August 2011 17:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5EC2221F8C96 for <>; Mon, 15 Aug 2011 10:06:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.2
X-Spam-Status: No, score=-17.2 tagged_above=-999 required=5 tests=[AWL=0.398, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cIkH9U6PZRqx for <>; Mon, 15 Aug 2011 10:06:51 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 50DA521F8C90 for <>; Mon, 15 Aug 2011 10:06:51 -0700 (PDT)
Received: from [] by with NNFMP; 15 Aug 2011 17:07:30 -0000
Received: from [] by with NNFMP; 15 Aug 2011 17:07:30 -0000
Received: from [] by with NNFMP; 15 Aug 2011 17:07:30 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 87098 invoked by uid 60001); 15 Aug 2011 17:07:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ginc1024; t=1313428050; bh=Qb2saCMiziqseBmmMydXSq5+mz3W4+t0SfZ8DA6fuBs=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=WW/9rqTmtZG895htcMWFp1+CJ26YdnFwhkkYbdpdx20VrVAuCBOaUcc8L9dyQ1gc6LSKsAcklp2jocCNIERhbRh60BJZ9t2dx3Li2b0YqWLS0L63atVA7FN+JuadYjkiLsi1a/r2pc9X1onzrtSafpYEH0uXX/XNgGKjlaq9GIo=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024;; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=QDbNq+X+qIedQUZIzAafEHC24i0hURVxufFRuqDSoj1QimzYQIw0RNEwJJJ5+SIFZSA3bCAO5nbUTxOhXN9EIdWj2YLU+XVVqC4VjbyWOT67w5hHa+p6p5SWyhkxDe7BZTJl3x8LqNbC+CCcYJPporw40VMw1qRYLJv/X3cHjUs=;
X-YMail-OSG: g7vZnygVM1mxbTdDOejOXWqRS6AtOQ2z7m4X9farIX.O6XT uAa5lom7K8VLPe596qxSrgXStcwSKjfSgP_mVrMvswyYh4e_Dtjfq8uRIQiP T47TVzIg9bBTnGnp64ORgGNmnY8AqfjWtReA6tpI5eaiW2YW5BA0tM1KV5no TROJ45Hdj04RTnZs33t2pi3vYkA6LEcJHBjHhNIKyvlEVhzE5TX1Jr2UEMjs .a3FkKSk2z28lift_84X5j3we44nrjHpyNqfOAYgLblQYohXhEwjHRNzbt5J BpTqwfnfqp1dE7m9JkvvqAb.c7dXjOa25NOC0Tre8lQCkPCBFW7Tfs45amvB 8n2Jq8cjloFT9V.zrWbg1OWyntKIWIQsUv9lpX2O.7w12sS5F1lnwtFxexCC .z9Ah_uZUlj3ehC4FU18-
Received: from [] by via HTTP; Mon, 15 Aug 2011 10:07:29 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/
References: <> <> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <>
Message-ID: <>
Date: Mon, 15 Aug 2011 10:07:29 -0700
From: "William J. Mills" <>
To: Barry Leiba <>, Anthony Nadalin <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-995464739-1313428049=:81355"
Cc: "OAuth WG (" <>, "" <>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Aug 2011 17:06:52 -0000

I'm a -1 on both of these until I re-read the attack description and really parse this again.  Perhaps I'm being confused by the usage of "client" here.  My initial reaction is that any time we are relying on the client to protect itself from CSRF it is a mistake.

I do think that CSRF protection is REQUIRED, the remaining question is whether it's reasonable to force folks to use the state parameter.  My gut says it's not unreasonable to force this simple model.

I also don't particularly like either CSRF description used.  As I've said before I think there are better discussions of it out there.

More later when I have more time to think on this.


From: Barry Leiba <>
To: Anthony Nadalin <>
Cc: "" <>; "OAuth WG (" <>
Sent: Monday, August 15, 2011 8:06 AM
Subject: Re: [OAUTH-WG] Auth Code Swap Attack

On Mon, Aug 15, 2011 at 10:51 AM, Anthony Nadalin <> wrote:
> That's nice, four people come up with text and you decide to use your text.
> Making state optional does nothing to fix the protocol issue, people will get
> this wrong and have. Our developers have been through this and agreed
> upon the text that was generated. They find the text in the current draft
> unacceptable and confusing and think that new text is acceptable.

I have to agree with what Tony says above.  The text proposed in his
message was agreed upon by several WG participants, and unless there's
some significant objection to it I think we should use it in the -21
version, subject to final WG review.

Barry, as chair
OAuth mailing list