So just to make sure I understand...
This specification requires the response from the Authorization Server
to an successful /authorize call to pass back code=, state= and jwt= (?)
or individually iss= and aud= as URL parameters on the 302 to the
redirect_url. This way, before the client issues a call to the /token
endpoint (with the code), it can verify that the token endpoint is correct.
If the client doesn't validate the endpoints at this step, then it could
disclose it's secret to a malicious endpoint. Correct?
Thanks,
George
On 1/11/16 2:59 PM, Mike Jones wrote:
The alternatives for the code flow are to return them either in a new
JWT added to the reply containing them in the “iss” and “aud” claims
or to return them in new individual “client_id” and “iss”
authorization response parameters. Both alternatives are described in
the draft. I’m sure that we’ll now be having a good engineering
discussion on the tradeoffs between the alternatives.,
In a separate draft, John Bradley will shortly also be describing the
possibility of securing the “state” value using a “state_hash” value
that works in a way that’s similar to how “at_hash” and “c_hash”
secure the “access_token” and “code” values in Connect. This would be
an alternative means of binding the authorization request and response
to the session – accomplishing the same thing that the Connect “nonce”
does.
While I fully get that some OAuth implementations want to avoid having
to have crypto, it seems like at least support for cryptographic
hashing (SHA-256, etc.) may be necessary to mitigate some of these
attacks (at least for clients that use more than one authorization
server).
The other important engineering discussion I know we’re going to have
is whether, when an OAuth profile already returns the information
needed for the mitigation, whether we want to specify that the client
obtain it from the existing location, or whether to also return it in
a duplicate location. I’ll note that OpenID Connect already returns
the client ID and issuer for the flows that return an ID Token in the
authorization response, so this isn’t a hypothetical question.
Finally, I know that we’ll need to discuss the impact of cut-and-paste
attacks when the issuer and client ID are returned as individual
authorization response parameters that are not cryptographically bound
to the rest of the response. The cut-and-paste attack that returning
the issuer and client_id values as separate parameters enables, even
when state_hash or nonce is used, is for the attacker to capture the
legitimate response containing “iss” and “client_id” results and
substitute different values for these fields, then post that altered
response to the legitimate client. The state and/or nonce values are
protected against substitution but “iss” and “client_id” are not.
And yes, I absolutely agree that good examples are essential. That’s
high on my list for the -01 version.
Thanks a bunch,
-- Mike
*From:*George Fletcher [mailto:gffle...@aol.com]
*Sent:* Monday, January 11, 2016 10:21 AM
*To:* Mike Jones <michael.jo...@microsoft.com>; oauth@ietf.org
*Subject:* Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation
Thanks Mike. One question after reading about the different attack
vectors and this spec...
How are the 'iss' and 'aud' values returned with the 'code' and
'state' parameters. It seems the client needs to verify the endpoints
before making the request to exchange the code for a token. If the
client is using the default OAuth2 client_id and client_secret these
values will be sent to the malicious endpoint if the client can't
verify the endpoints before hand.
Also, it would be nice to add some non-normative examples to the spec.
Thanks,
George
On 1/11/16 4:27 AM, Mike Jones wrote:
Yesterday Hannes Tschofenig announced an OAuth Security Advisory
on Authorization Server Mix-Up
<https://mailarchive.ietf.org/arch/msg/oauth/JIVxFBGsJBVtm7ljwJhPUm3Fr-w>.
This note announces the publication of the strawman OAuth 2.0
Mix-Up Mitigation draft he mentioned that mitigates the attacks
covered in the advisory. The abstract of the specification is:
This specification defines an extension to The OAuth 2.0
Authorization Framework that enables an authorization server to
provide a client using it with a consistent set of metadata about
itself. This information is returned in the authorization
response. It can be used by the client to prevent classes of
attacks in which the client might otherwise be tricked into using
inconsistent sets of metadata from multiple authorization servers,
including potentially using a token endpoint that does not belong
to the same authorization server as the authorization endpoint
used. Recent research publications refer to these as "IdP Mix-Up"
and "Malicious Endpoint" attacks.
The gist of the mitigation is having the authorization server
return the client ID and its issuer identifier (a value defined in
the OAuth Discovery specification
<http://self-issued.info/?p=1496>) so that the client can verify
that it is using a consistent set of authorization server
configuration information, that the client ID is for that
authorization server, and in particular, that the client is not
being confused into sending information intended for one
authorization server to a different one. Note that these attacks
can only be made against clients that are configured to use more
than one authorization server.
Please give the draft a quick read and provide feedback to the
OAuth working group. This draft is very much a starting point
intended to describe both the mitigations and the decisions and
analysis remaining before we can be confident in standardizing a
solution. Please definitely read the Security Considerations and
Open Issues sections, as they contain important information about
the choices made and the decisions remaining.
Special thanks go to Daniel Fett (University of Trier), Christian
Mainka (Ruhr-University Bochum), Vladislav Mladenov
(Ruhr-University Bochum), and Guido Schmitz (University of Trier)
for notifying us of the attacks and working with us both on
understanding the attacks and on developing mitigations. Thanks
too to Hannes Tschofenig for organizing a meeting on this topic
last month and to Torsten Lodderstedt and Deutsche Telekom for
hosting the meeting.
The specification is available at:
·http://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-00
An HTML-formatted version is also available at:
·http://self-issued.info/docs/draft-jones-oauth-mix-up-mitigation-00.html
-- Mike
P.S. This note was also posted at http://self-issued.info/?p=1524
and as @selfissued <https://twitter.com/selfissued>.
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
--
Chief Architect
Identity Services Engineering Work:george.fletc...@teamaol.com
<mailto:george.fletc...@teamaol.com>
AOL Inc. AIM: gffletch
Mobile: +1-703-462-3494 Twitter:http://twitter.com/gffletch
Office: +1-703-265-2544 Photos:http://georgefletcher.photography
--
Chief Architect
Identity Services Engineering Work: george.fletc...@teamaol.com
AOL Inc. AIM: gffletch
Mobile: +1-703-462-3494 Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544 Photos: http://georgefletcher.photography
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
