Re: [oauth] OAuth and HTTP proxies
George Fletcher <gffletch@aol.com> Tue, 10 March 2009 15:07 UTC
Return-Path: <GFFletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECB1C3A6908 for <oauth@core3.amsl.com>; Tue, 10 Mar 2009 08:07:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_84=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2M3pD2KaUZh for <oauth@core3.amsl.com>; Tue, 10 Mar 2009 08:06:55 -0700 (PDT)
Received: from imo-m13.mail.aol.com (imo-m13.mx.aol.com [64.12.143.101]) by core3.amsl.com (Postfix) with ESMTP id 48CB93A67ED for <oauth@ietf.org>; Tue, 10 Mar 2009 08:06:55 -0700 (PDT)
Received: from GFFletch@aol.com by imo-m13.mx.aol.com (mail_out_v39.1.) id 7.ced.520dfa64 (37579); Tue, 10 Mar 2009 11:07:23 -0400 (EDT)
Received: from palantir.local ([10.181.74.124]) by cia-mb05.mx.aol.com (v123.3) with ESMTP id MAILCIAMB054-92cb49b6822a60; Tue, 10 Mar 2009 11:07:23 -0400
Message-ID: <49B6822A.1050002@aol.com>
Date: Tue, 10 Mar 2009 11:07:22 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AOL-IP: 10.181.74.124
X-Mailer: Unknown (No Version)
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] OAuth and HTTP proxies
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2009 15:07:01 -0000
I checked and both Host and Authorization MUST be passed through unchanged by proxies. So from a signature perspective that will work fine for HTTP 1.1 requests (as they require the presence of the Host header). For proxies that accept HTTP 1.0 requests, they SHOULD add the Host header based on the received hostname:port in the proxied URI. Given that the hostname:port values must be normalized before being added to the SBS, this should not break the signature by the downstream service. One issue with OAuth and proxies is that the responses are not signed. So while the request to the "server" is protected, the response from the server is not. This means that all responses are subject to MITM attacks by the proxies. If response signing is added, then proxies can also change the content encoding of the response, so all content "decoding" must be done before processing the entity body to construct the SBS. Thanks, George Eran Hammer-Lahav wrote: > Can someone please review the OAuth spec [1], in particular section 3.3.1.3, to help determine if the way OAuth signs requests is compatible with HTTP proxies? > > OAuth signs the request URI based on either the content of the Host header or the actual hostname and port used to make the request. It was written with total disregard to proxies and caches. I am trying to find out if it breaks or breaks something else. > > EHL > > [1] http://tools.ietf.org/html/draft-hammer-oauth-01 > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [oauth] OAuth and HTTP proxies Eran Hammer-Lahav
- Re: [oauth] OAuth and HTTP proxies George Fletcher