Re: [oauth] OAuth and HTTP proxies

George Fletcher <gffletch@aol.com> Tue, 10 March 2009 15:07 UTC

Return-Path: <GFFletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECB1C3A6908 for <oauth@core3.amsl.com>; Tue, 10 Mar 2009 08:07:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_84=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2M3pD2KaUZh for <oauth@core3.amsl.com>; Tue, 10 Mar 2009 08:06:55 -0700 (PDT)
Received: from imo-m13.mail.aol.com (imo-m13.mx.aol.com [64.12.143.101]) by core3.amsl.com (Postfix) with ESMTP id 48CB93A67ED for <oauth@ietf.org>; Tue, 10 Mar 2009 08:06:55 -0700 (PDT)
Received: from GFFletch@aol.com by imo-m13.mx.aol.com (mail_out_v39.1.) id 7.ced.520dfa64 (37579); Tue, 10 Mar 2009 11:07:23 -0400 (EDT)
Received: from palantir.local ([10.181.74.124]) by cia-mb05.mx.aol.com (v123.3) with ESMTP id MAILCIAMB054-92cb49b6822a60; Tue, 10 Mar 2009 11:07:23 -0400
Message-ID: <49B6822A.1050002@aol.com>
Date: Tue, 10 Mar 2009 11:07:22 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AOL-IP: 10.181.74.124
X-Mailer: Unknown (No Version)
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] OAuth and HTTP proxies
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2009 15:07:01 -0000

I checked and both Host and Authorization MUST be passed through 
unchanged by proxies. So from a signature perspective that will work 
fine for HTTP 1.1 requests (as they require the presence of the Host 
header). For proxies that accept HTTP 1.0 requests, they SHOULD add the 
Host header based on the received hostname:port in the proxied URI. 
Given that the hostname:port values must be normalized before being 
added to the SBS, this should not break the signature by the downstream 
service.

One issue with OAuth and proxies is that the responses are not signed. 
So while the request to the "server" is protected, the response from the 
server is not. This means that all responses are subject to MITM attacks 
by the proxies. If response signing is added, then proxies can also 
change the content encoding of the response, so all content "decoding" 
must be done before processing the entity body to construct the SBS.

Thanks,
George

Eran Hammer-Lahav wrote:
> Can someone please review the OAuth spec [1], in particular section 3.3.1.3, to help determine if the way OAuth signs requests is compatible with HTTP proxies?
>
> OAuth signs the request URI based on either the content of the Host header or the actual hostname and port used to make the request. It was written with total disregard to proxies and caches. I am trying to find out if it breaks or breaks something else.
>
> EHL
>
> [1] http://tools.ietf.org/html/draft-hammer-oauth-01
>
> _______________________________________________
> oauth mailing list
> oauth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>