Hi Michael,
Am 04.01.2012 22:06, schrieb Michael Thomas:
I think the "perhaps unwisely" goes to the heart of my objection. You
might as well be talking about "perhaps unwisely" driving a car,
or "perhaps unwisely" eating food: the reality is that people download
apps by the *billions*. When I was initially blown off, many of the
participants including document editors implied that only idiots get
apps for their phones. That is *completely* unhelpful as the reality
is that OAUTH's use is hugely if not primarily deployed in that sort of
environment.
I fully agree with you. That's why the core spec and the threat document
both consider native apps.
This is a threat that cuts to the very heart of what OAUTH is, and
purports
to defend against: keeping user credentials out of the hands of an
untrusted third party. If there really aren't any good ways to
mitigate this
in an app environment, why is OAUTH being deployed so aggressively there?
Shouldn't the threat draft say in blinking bold: "DEPLOYING OAUTH
IN NATIVE APPS CONSIDERED HARMFUL"?
You lost me. Is the situation getting any worse with OAuth? I don't
think so. I think the situation is getting better, probably not as you
might expect.
The key question is: Why do we aim on "keeping user credentials out of
the hands of an untrusted third party"?
1) To prevent phishing or 2) to prevent leakage of end-user credentials
due to inappropriate handling or weak defence on the 3rd party?
wrt 1) I don't think so. I don't see how an authorization server shall
validate the authenticity and trustworthiness of a client-side
application. We already state this in section 4.4.1.4. of the threat
document.
-----------------------
It is not the task of the authorization server to protect
the end-user's device from malicious software. This is the
responsibility of the platform running on the particular device
probably in cooperation with other components of the respective
ecosystem (e.g. an application management infrastructure). The sole
responsibility of the authorization server is to control access to
the end-user's resources living in resource servers and to prevent
unauthorized access to them.
-----------------------
wrt 2) Yes, I think that's the reason. And OAuth is a appropriate
protocol to achieve this goal, even for mobile apps. Why?
A typical mobile application consists of the app itself on the device
and a corresponding backend service storing user data and implementing
business and integration logic. Let's assume this application features
address book import from other service providers. W/o OAuth, the app
would gather the end-user's credential for a certain address book
service and pass it to its backend service. This service in turn uses
this credentials to access the service provider's API. So in such a
scenario the following parties get in touch with the user credentials:
- the app
- the app's backend service
- the address book resource server
What threats do you see here? And which is most likely to occur? My
favorite is an attack against the log files or the database of the
backend service in order to obtain the end-users passwords for the
resource server. Why? Because the cost/benefit ratio for an attacker is
much better then attacking any app installation on a device and the
protective measure on the resource server might be more appropriate then
on the client side (backend service).
OAuth mitigates this kind of attack by reducing the number of parties
handling user credentials to the authorization server and the user
agent. So even if the app itself would be the user agent (which is not
recommended), it would directly interact with the authorization server
and the app's backend service would use tokens instead of end-user
credentials. Moreover, the recommended way is to let the app delegate
the flow to a trusted system component on the user's device, such as the
system browser or an account manager. In that case, the 3rd party is not
getting in touch with the user credentials at all.
I think the key question is whether anyone expects OAuth to solve the
phishing problem. I don't think this is its main purpose, but it could
facilitate to overcome the habit to enter user credentials everywhere.
And this in turn may contribute to the fight against phishing.
regards,
Torsten.
Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
