Re: [OAUTH-WG] OAuth Security BCP -15
Aaron Parecki <aaron@parecki.com> Mon, 06 April 2020 14:10 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57BF13A045B for <oauth@ietfa.amsl.com>; Mon, 6 Apr 2020 07:10:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qSUCRWKFpbZQ for <oauth@ietfa.amsl.com>; Mon, 6 Apr 2020 07:10:05 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B8F53A058F for <oauth@ietf.org>; Mon, 6 Apr 2020 07:09:24 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id m4so31554ioq.6 for <oauth@ietf.org>; Mon, 06 Apr 2020 07:09:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bKqpjzcQvFPRALqy7QcKPRYAFwQcpy0V49hQ7nbUPHo=; b=WMJ1girFd2k+J9vzq5d3HeHI9nVN3lnnzcg9JDWCSDEV/0fBcm1KWLCPE4gFwsZbL6 n5+dKFjAcs2S745ojmCnU2ZjA5I6NC3yzVr7zzjeVh3P9cujzDzAbZp41tcImSE5o9OW GHGROm8CvRgB0BJ37RsvkRa+ujzQ7tMrI2LHFXgQDWuI2/y2S0c6X0j6I/MtTUXWQtvS nIhuMlpxGpKMmZMVAx+taV0CxnXn+vkvXXhezlRwTy/oenbpyUJaPT+yoN5uSTTzV4y8 SWr8PIs26KCfsXuQeOi1SN8esqS2Xc0SdMyy3RWqDz3DgAwVSYEbXdhi6+xFDfAETjnE Eg2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bKqpjzcQvFPRALqy7QcKPRYAFwQcpy0V49hQ7nbUPHo=; b=eNVjOvlPTEUPl1A35mcHps4xM1rpjeCYlIQo5E0U8bImgzIOLxOpMFfs839ArmCSmn 8wobSB7RBgZqw06aao6x+w8odHrE8hI+40u6q7X0CcZ5FNBMAtdq+21SFV4/bbOXW1zI 4R/uuEsaOU5RyPJ9hVY63YGZcn/h9ljE/W6S0+z33uRyW9z8U13umwyw2Y7hteL33DlW 9VPHfiV5PA4xstx9gU7YngKJ6DDgd5GRcRST4JXktJ3h0h5E0FoBZOZnbFmvX3RTO4KJ Jy/E94JUO6BrA/Ep7XUtEd8Ml9wYRveuFYL+8Jjhy9NId7xzLSeMfwVmrhGSQdrVa446 4U+Q==
X-Gm-Message-State: AGi0PubPOSowuhbmwRzPurzvle6+Dgh02I5a0RRZX7Cm9/cUwDS0dlzJ 7Boyi6GIx0TDfURgVAfALWuSoTZL568=
X-Google-Smtp-Source: APiQypJfFFpZXIxbovbciWnahU+uT9RT6dJLoCjLfsWHIMfLMpx5wveTE3Ou8/rdC4Eeh2QGe9U6Nw==
X-Received: by 2002:a5d:984b:: with SMTP id p11mr19807944ios.175.1586182163098; Mon, 06 Apr 2020 07:09:23 -0700 (PDT)
Received: from mail-il1-f179.google.com (mail-il1-f179.google.com. [209.85.166.179]) by smtp.gmail.com with ESMTPSA id k16sm6004361ila.38.2020.04.06.07.09.22 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 06 Apr 2020 07:09:22 -0700 (PDT)
Received: by mail-il1-f179.google.com with SMTP id t6so14737977ilj.8 for <oauth@ietf.org>; Mon, 06 Apr 2020 07:09:22 -0700 (PDT)
X-Received: by 2002:a92:b74d:: with SMTP id c13mr21655271ilm.105.1586182161691; Mon, 06 Apr 2020 07:09:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjq2DtMfGAbzQz54-7h2vgwyQnDkab8ET0w+fvLxE6Uypg@mail.gmail.com> <91012825-2bef-297a-1d9a-89c8c9e1f7f3@danielfett.de>
In-Reply-To: <91012825-2bef-297a-1d9a-89c8c9e1f7f3@danielfett.de>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 06 Apr 2020 07:09:10 -0700
X-Gmail-Original-Message-ID: <CAGBSGjrZChp2CeCNUKtUtNbnBSZtuT+2CBCQYwM-xVV4Kdm-FQ@mail.gmail.com>
Message-ID: <CAGBSGjrZChp2CeCNUKtUtNbnBSZtuT+2CBCQYwM-xVV4Kdm-FQ@mail.gmail.com>
To: Daniel Fett <fett@danielfett.de>
Cc: OAuth WG <oauth@ietf.org>, Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="0000000000004c0f0905a29fd0dc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wZJ_syPZmQZpzinnh4v5SFXZ9M4>
Subject: Re: [OAUTH-WG] OAuth Security BCP -15
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 14:10:11 -0000
> > The injected authorization code would always refer to a different session > (started with a different nonce). The client would therefore get an ID > Token with a different nonce. The assumption is that the client would then > throw away both the ID Token and the access token. This is true as long as the client actually validates the ID token it obtained at the token endpoint, even though it may have already obtained one from the authorization response. (e.g. response_type=code+id_token). It feels like this should be explained in a little more detail, since having to validate two ID tokens to protect against this attack is not necessarily obvious. Aaron ---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk> On Mon, Apr 6, 2020 at 12:09 AM Daniel Fett <fett@danielfett.de> wrote: > Hi Aaron, > > Thanks for your feedback! > > Am 05.04.20 um 20:42 schrieb Aaron Parecki: > > Section 2.1.1 says: > > Clients MUST prevent injection (replay) of authorization codes into >> the authorization response by attackers. The use of PKCE [RFC7636] >> is RECOMMENDED to this end. The OpenID Connect "nonce" parameter and >> ID Token Claim [OpenID] MAY be used as well. > > > Minor nit: this should be "ID Token claim" with a lowercase "c". I spent a > while trying to figure out what an "ID Token Claim" is before realizing > this sentence was referring to the "nonce" claim in an ID Token. > > Upper case "Claim" follows the convention in OIDC Core, which says for > example, "these additional requirements for the following ID Token Claims > apply". > > To keep the documents consistent, I will change the sentence above to > > "The OpenID Connect "nonce" parameter and the respective Claim in the ID > Token [OpenID] MAY be used as well." > > > Aside from that, I'm struggling to understand what this section is > actually saying to do. Since this is in the "Authorization Code Grant" > section, is this saying that using response_type=code is fine as long as > the client checks the "nonce" in the ID Token obtained after it uses the > authorization code? It seems like that would still allow an authorization > code to be injected. I don't see how the "nonce" parameter solves anything > to do with the authorization code, it seems like it only solves ID token > injections via response_type=id_token. > > The injected authorization code would always refer to a different session > (started with a different nonce). The client would therefore get an ID > Token with a different nonce. The assumption is that the client would then > throw away both the ID Token and the access token. > > Does that make sense? > > > In any case, this section could benefit from some more explicit > instructions on how exactly to prevent authorization code injection attacks. > > Indeed, we should add a sentence or two on that. > > -Daniel >
- [OAUTH-WG] OAuth Security BCP -15 Aaron Parecki
- Re: [OAUTH-WG] OAuth Security BCP -15 David Waite
- Re: [OAUTH-WG] OAuth Security BCP -15 Daniel Fett
- Re: [OAUTH-WG] OAuth Security BCP -15 Aaron Parecki
- Re: [OAUTH-WG] OAuth Security BCP -15 Daniel Fett