On 3 Jan 2018, at 07:07, Vladimir Dzhuvinov <vladi...@connect2id.com> wrote: > > > On 02/01/18 19:01, Neil Madden wrote: >> How does authentication address the problem? > Authentication increases the effective entropy. An attacker fist has to be > break the client secret, then successfully guess the token.
Authentication of parties using the introspection endpoint doesn’t increase entropy. If I have a 1 in 2^128 chance of correctly guessing an access token before you add authentication to the endpoint, then I still have the same probability of success afterwards. You’ve just made it harder for me to check my answers. But I can just try and actually use the token to see if it works. If access token guessing is a problem for token introspection, then it is a problem for essentially every part of the OAuth 2.0 ecosystem. There is also the issue that attackers may have valid credentials anyway. If this attack is valid in the first place, then it is also valid to consider a malicious RS trying to compromise tokens for a different resource server. Unless you have a completely closed environment where all valid parties trust each other, then authentication doesn’t make much difference. But the token scanning attack is already ruled out by the entropy requirements on access tokens. For example, suppose your application produces access tokens at a rate of 1 million per second, and they each last for 2 years. You will have a maximum of just over 63 trillion access tokens in circulation (~2^46). Assuming an attacker doesn’t care about which access token they compromise, then with the minimum entropy requirements of 128 bits they will require effort of approximately 2^(128-46) = 2^82 to guess any one of those access tokens. That should still be beyond the likely capabilities of anybody to achieve in a 2 year timespan. If you use the recommendation for 160-bit entropy, then they have effort of 2^114, which is comfortably beyond practical for the foreseeable future. (All assuming that you do not leak tokens by other means). It is not a bad idea to require authentication on the token introspection endpoint, for other reasons mentioned in this thread. So I don’t think the RFC is wrong to recommend it, or even require it. But the stated rationale seems incorrect to me. Regards, Neil
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
