Re: [OAUTH-WG] oauth-meta: turi allows user to mislead app

"Manger, James" <> Thu, 28 January 2016 06:16 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B44811B3AC1 for <>; Wed, 27 Jan 2016 22:16:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.301
X-Spam-Status: No, score=-0.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oD2zFowpVGCZ for <>; Wed, 27 Jan 2016 22:16:47 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 7E3681B3ABF for <>; Wed, 27 Jan 2016 22:16:46 -0800 (PST)
X-IronPort-AV: E=Sophos; i="5.22,357,1449493200"; d="scan'208,217"; a="55320219"
Received: from unknown (HELO ([]) by with ESMTP; 28 Jan 2016 17:16:44 +1100
X-IronPort-AV: E=McAfee;i="5700,7163,8057"; a="69506049"
Received: from ([]) by with ESMTP; 28 Jan 2016 17:16:43 +1100
Received: from ([]) by ([fe80::5c01:5192:426d:fe2f%16]) with mapi; Thu, 28 Jan 2016 17:16:43 +1100
From: "Manger, James" <>
To: Nat Sakimura <>, "" <>
Date: Thu, 28 Jan 2016 17:16:42 +1100
Thread-Topic: [OAUTH-WG] oauth-meta: turi allows user to mislead app
Thread-Index: AQI8p81KlwM1SsaMd83m7w23juHIdp45pfZAgAAZIYA=
Message-ID: <>
References: <> <056601d15980$a996bfd0$fcc43f70$>
In-Reply-To: <056601d15980$a996bfd0$fcc43f70$>
Accept-Language: en-US, en-AU
Content-Language: en-US
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E13BB6E3BD12WSMSG3153Vsrv_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] oauth-meta: turi allows user to mislead app
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Jan 2016 06:16:50 -0000

Even if theoretically secure, I don't think it is a good idea to send turi and require the client app to confirm it matches (or send duri and match issuer+well-known...). It will be too tempting to client apps to just use the turi/duri value.

draft-jones-oauth-mix-up-mitigation-01 is slightly better in sending an "iss" id to match, instead of a web address to follow. However, "iss" is actually a URI and is defined as the basis for discovery. If an app did discovery based on "iss" from the redirect it would be insecure. So I think apps using different redirect URIs for different ASs is a better idea (which happens to be the fix suggested in the paper on the "IdP Mix-Up" attack).

If we have to send something that another party should match, but not otherwise use, it might be better to send a hash instead of the actual value. That feel much harder for apps or servers to accidentally misuse insecurely.

James Manger

From: Nat Sakimura []
Sent: Thursday, 28 January 2016 3:02 PM
To: Manger, James <>;
Subject: RE: [OAUTH-WG] oauth-meta: turi allows user to mislead app

Hi James,

Right. I thought of the man-in-the-browser case and was originally thinking of sending them in signed JWT(state,c_hash,a_hash,turi,ruri,duri,...) or sending HMAC(sha256, state+code+turi+ruri, client_secret) together but subsequently dropped the idea as anything is broken in the man-in-the-browser case. The bad user case did not occur to me then. I should not have dropped the idea. Incidentally, this probably fixes the cut-n-paste attack as well. For OpenID Connect, it amounts to returning these parameters in ID Token in the front channel. As you can expect, this is my preferred way.

If we do not want any crypto, then there has to be additional checks.
In case of duri, mandating the client to check that the duri = issuer + .well-known/openid-configuration.
For turi, it has to match one of the entry listed in the discovery document or or pre-set configuration. The same applies for ruri.
We probably want to have a cut-n-paste attack control in place as well.

For the token endpoint response that does not go through user browser, it should be ok to accept it as true.

PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.

From: OAuth [] On Behalf Of Manger, James
Sent: Thursday, January 28, 2016 11:38 AM
Subject: [OAUTH-WG] oauth-meta: turi allows user to mislead app

The OAuth-Meta draft <draft-sakimura-oauth-meta-05> returns the token endpoint (in a "turi" query parameter) when redirecting a user from the authorization endpoint back to an app. The app presumably then POSTs the "code" (also in the redirect) to "turi" to get an access token. However, apps typically send their client_secret to the token endpoint to authenticate. Sending a client_secret to a URI that came from a user is insecure.

A RESTful OAuth would be a great improvement, but it doesn't look like providing the token endpoint (nor discovery endpoint) in a redirect is the right approach.

James Manger