IETF Logo Mail Archive

Re: [websec] Indicating origin of OAuth credentials to combat login CSRF

Adam Barth <ietf@adambarth.com> Sat, 26 February 2011 07:09 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@core3.amsl.com
Delivered-To: websec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 694F53A691B; Fri, 25 Feb 2011 23:09:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.839
X-Spam-Level:
X-Spam-Status: No, score=-2.839 tagged_above=-999 required=5 tests=[AWL=0.138, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6JxNyhCSLUAO; Fri, 25 Feb 2011 23:09:16 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id AABEB3A68A0; Fri, 25 Feb 2011 23:09:16 -0800 (PST)
Received: by iwl42 with SMTP id 42so1902795iwl.31 for <multiple recipients>; Fri, 25 Feb 2011 23:10:11 -0800 (PST)
Received: by 10.231.161.15 with SMTP id p15mr3530063ibx.104.1298704210675; Fri, 25 Feb 2011 23:10:10 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id 8sm1627920iba.22.2011.02.25.23.10.09 (version=SSLv3 cipher=OTHER); Fri, 25 Feb 2011 23:10:09 -0800 (PST)
Received: by iwl42 with SMTP id 42so1902774iwl.31 for <multiple recipients>; Fri, 25 Feb 2011 23:10:09 -0800 (PST)
Received: by 10.231.160.80 with SMTP id m16mr3552715ibx.106.1298704209087; Fri, 25 Feb 2011 23:10:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.40.7 with HTTP; Fri, 25 Feb 2011 23:09:39 -0800 (PST)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1127DCD2142@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E1127DCD2142@WSMSG3153V.srv.dir.telstra.com>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 25 Feb 2011 23:09:39 -0800
Message-ID: <AANLkTina+=5uV4V7DRfX6RsZUDU1j_Ag+Ruf2C9dPOW_@mail.gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: "websec@ietf.org" <websec@ietf.org>, OAuth Mailing List <oauth@ietf.org>
Subject: Re: [websec] Indicating origin of OAuth credentials to combat login CSRF
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Feb 2011 07:09:23 -0000

On Thu, Feb 24, 2011 at 4:08 PM, Manger, James H
<James.H.Manger@team.telstra.com> wrote:
> Q. Should an OAuth client app list the authorization server in the Origin
> header of requests to resource servers?

They are allowed to, but are not required to, by the Origin header
specification.  Whether they should or not is a question for the OAuth
working group to decide.

Adam


> In OAuth (delegation) flows a server dynamically issues credentials (such as
> a bearer token) to a client app to use in subsequent HTTP requests to other
> servers. To combat login cross-site request forgery (CSRF) attacks [1]
> (where an attacker’s server issues the attacker’s credentials to a client
> app to use on behalf of a victim at a legitimate server) the client app
> needs to indicate where the credentials came from. The Origin header [2]
> looks like the right place to indicate this.
>
>
>
> [For the OAuth list: The Origin HTTP request header “indicates the origin(s)
> that caused the user agent to issue the request”
> [http://tools.ietf.org/html/draft-ietf-websec-origin-00#section-6.2].]
>
>
>
> [For the WebSec list: An OAuth credential from an authorization server is a
> bit like a cookie, but not restricted to the same origin.]
>
>
>
>
>
> Example:
>
>
>
>   Client to (malicious) authorization server: ->
>
>     POST /token HTTP/1.1
>
>     Host: login.example.com
>
>     …
>
>   <-
>
>     HTTP/1.1 200 OK
>
>     …
>
>     { "access_token": "SlAV32hkKG", …}
>
>
>
>   Client to resource server: ->
>
>     POST /uploadData HTTP/1.1
>
>     Host: api.exampledata.com
>
>     Authorization: BEARER SlAV32hkKG
>
>     Origin: https://login.example.com
>
>     …
>
>
>
>
>
> There can be other servers that contribute to a client app making a request.
> For instance, one server can redirect to another. A Origin request header
> can list multiple origins. The server will not be able to distinguish which
> origin issued OAuth credentials from which issued a redirect etc. That might
> not matter if a server has to trust all the values listed in the Origin
> header.
>
> Q. Is it the group’s expectation that servers checking the Origin header
> will require all the listed origins to be trusted?
>
>
>
> [1] Robust Defenses for Cross Site Request Forgery,
> http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf
>
> [2] The Web Origin Concept,
> http://tools.ietf.org/html/draft-ietf-websec-origin
>
> [3] Principles of the Same Origin Policy,
> http://tools.ietf.org/html/draft-abarth-principles-of-origin
>
>
>
> --
>
> James Manger
>
>
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>
>

v2.23.0 | Report a Bug | By Email