Hi all,

The OAuth spec recommends the use of TLS when sending
requests to the end-user authorization endpoint and requires
it when sending requests to the token endpoint.  It says
nothing about using TLS when redirecting the browser back to
the client, which implies that it is not needed for that
purpose.

In fact, TLS is needed just as much when redirecting back to
the client as when sending requests to the token endpoint.
If TLS is not used when redirecting back, the following
attack, which is easy to implement, allows the attacker to
impersonate a resource owner and gain access to protected
resources.

The resource owner goes to an airport or a coffee house with
a laptop.  The attacker is sitting at the airport or coffee
house with a loptop that implements a rogue Wifi access
point.  (Using a laptop as a rogue access point has always
been easy to do, and it may have become easier with the soft
access point feature of Windows 7.)  The resource owner
connects to the Internet through the rogue access point.
The attacker can observe all traffic that is not encrypted
by TLS.

The resource owner tries to use a client application to
access a protected resource.  The client application, which
implements the web server client profile, has registered
with an authorization server, and has been issued a client
identifier and client password credentials by the
authorization server.

The resource owner accesses the client application.  The
client application redirects the resource owner to the
authorization server.  The authorization server
authenticates the resource owner and redirects the resource
owner's browser to the redirection URI of the client
application.  The scheme of the redirection URI is http
rather than https.  The redirected request conveys the
authorization code to the client application.  The client
application uses the authorization code and its client
password credentials to obtain an access token from the
authorization server.

When it obtains the access token, the client application
logs in the resource owner (as applications typically do)
creating a session record where it stores the access token,
so that it can use it later to access protected resources as
requested by the resource owner.  The client application
sets an authentication cookie in the resource owner's
browser (as applications typically do) which refers to the
session record and is used to authenticate subsequent
requests to the client application from the resource owner.

The authentication cookie is set by the http response to the
request that conveyed the authorization code to the client
application.  That request was sent to the redirection URI,
and was not encrypted by TLS.  Therefore the attacker can
observe the authentication cookie.  As soon as the attacker
observes the cookie, it terminates the wireless connection
of the resource owner, and starts using the cookie to
impersonate the resource owner.  The attacker uses the
cookie to make requests to the application for protected
resources, and the application accesses those protected
resources using the access token stored in the browser
record referenced by the cookie.

There is a variation of the attack that uses DNS spoofing.
DNS spoofing is easy to set up on a laptop that implements a
rogue access point.  The attacker spoofs the DNS vis-a-vis
the resource-owner's laptop, mapping the domain name of the
client application to the LAN-side IP address of the rogue
address point.  The attacker's laptop then proxies the
connection from the resource owner's laptop to the client,
which is possible because the connection is not protected by
TLS.  The attacker has thus easy access to the
authentication cookie.

Besides OAuth, the attack works against OpenID, which fails
to recommend the use of TLS for the redirection from the
OpenID Provider back to the Relying party.  The attack also
affected my own little PKAuth protocol (discussed in the
unregistered applications thread), which also uses a double
redirection mechanism.  PKAuth uses TLS throughout, but I
was implicitly making the claim that it provided protection
even if the user ignored an invalid-certificate warning from
the browser.  I've now removed that claim.

Francisco

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to