IETF Logo Mail Archive

Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft

David Waite <david@alkaline-solutions.com> Thu, 21 January 2016 19:48 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B57A01A9025 for <oauth@ietfa.amsl.com>; Thu, 21 Jan 2016 11:48:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_FAIL=0.001, SPF_HELO_FAIL=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8_SBlP95zEfd for <oauth@ietfa.amsl.com>; Thu, 21 Jan 2016 11:48:50 -0800 (PST)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [IPv6:2600:3c00::f03c:91ff:fe93:6974]) by ietfa.amsl.com (Postfix) with ESMTP id 3B5DB1A9023 for <oauth@ietf.org>; Thu, 21 Jan 2016 11:48:50 -0800 (PST)
Received: from home.alkaline-solutions.com (c-50-155-144-64.hsd1.co.comcast.net [50.155.144.64]) by alkaline-solutions.com (Postfix) with ESMTPSA id 77C2D315B1; Thu, 21 Jan 2016 19:48:48 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail=_5DD52378-F312-40AF-A9A2-36389B35960D"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <BY2PR03MB442662C73E3904E73D9B9EFF5C30@BY2PR03MB442.namprd03.prod.outlook.com>
Date: Thu, 21 Jan 2016 12:48:47 -0700
Message-Id: <2EB9855D-BAB2-4B90-B649-F1B24B8834EC@alkaline-solutions.com>
References: <BY2PR03MB442662C73E3904E73D9B9EFF5C30@BY2PR03MB442.namprd03.prod.outlook.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/zyZRnbQnsom5RIdlYpZYBBfKAmg>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2016 19:48:51 -0000

Question: 

I understand how “iss" helps mitigate this attack (client knows response was from the appropriate issuer and not an attack where the request was answered by another issuer). 

However, how does passing “state” on the authorization_code grant token request help once you have the above in place? Is this against some alternate flow of this attack I don’t see, or is it meant to mitigate some entirely separate attack?

If one is attempting to work statelessly (e.g. your “state” parameter is actual state and not just a randomly generated value), a client would have always needed some way to differentiate which issuer the authorization_code grant token request would be sent to.

However, if an AS was treating “code” as a token (for instance, encoding: client, user, consent time and approved scopes), the AS now has to include the client’s state as well. This would effectively double (likely more with encoding) the state sent in the authorization response back to the client redirect URL, adding more pressure against maximum URL sizes.

-DW

> On Jan 20, 2016, at 11:28 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
> John Bradley and I collaborated to create the second OAuth 2.0 Mix-Up Mitigation draft.  Changes were:
> ·       Simplified by no longer specifying the signed JWT method for returning the mitigation information.
> ·       Simplified by no longer depending upon publication of a discovery metadata document.
> ·       Added the “state” token request parameter.
> ·       Added examples.
> ·       Added John Bradley as an editor.
>  
> The specification is available at:
> ·       http://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01 <http://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01>
>  
> An HTML-formatted version is also available at:
> ·       http://self-issued.info/docs/draft-jones-oauth-mix-up-mitigation-01.html <http://self-issued.info/docs/draft-jones-oauth-mix-up-mitigation-01.html>
>  
>                                                           -- Mike
>  
> P.S.  This note was also posted at http://self-issued.info/?p=1526 <http://self-issued.info/?p=1526> and as @selfissued <https://twitter.com/selfissued>.
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>

v2.23.0 | Report a Bug | By Email