Re: [OAUTH-WG] A Scope Attack against OAuth 2.0

2012-02-17 Thread Dick Hardt
Some of the more interesting capabilities that an app can ask for are revokable by the user later on. Facebook has an API call /me/permissions That lets an app determine what permissions the user has granted the app. If need be the app can then ask (or re-ask) for additional scopes. Additiona

Re: [OAUTH-WG] A Scope Attack against OAuth 2.0

2012-02-17 Thread William Mills
I don't think the problem as described is an attack per se, the user is able to modify the rights being granted.  The user is after all in control of what they want to allow.  In this case it looks like FBs implementation is pretty loose with the games apps and there's no guarantee you'll get th

[OAUTH-WG] A Scope Attack against OAuth 2.0

2012-02-17 Thread Wenjie Lin
We describe an attack on OAuth 2.0 (draft-ietf-oauth-v2-23), called *scope attack*, provide a live-demo of the attack on Facebook, and propose a fix with discussions. *Scope Attack* OAuth authorization of services is associated with service agreement scope. For instance, Client provides an onli

[OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -17

2012-02-17 Thread Mike Jones
Draft 17 of the OAuth 2.0 Bearer Token Specification has been published. This version changes the RFCs referenced for certificate chain verification. The wording was proposed by Alexey Melnikov as part of the Gen-ART review. It contains

[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-17.txt

2012-02-17 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : The OAuth 2.0 Authorization Protocol: Bearer Tokens Author(s) : Michael B. Jones

Re: [OAUTH-WG] tsv-dir review of draft-ietf-oauth-v2-23

2012-02-17 Thread Songhaibin
Hi Justin, Thank you for the clarification. See in line. > -Original Message- > From: Justin Richer [mailto:jric...@mitre.org] > Sent: Wednesday, February 15, 2012 9:44 PM > To: Songhaibin > Cc: tsv-...@tools.ietf.org; draft-ietf-oauth...@tools.ietf.org; Martin > Stiemerling; > oauth@iet

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-01.txt

2012-02-17 Thread Julian Reschke
On 2012-02-17 00:14, Eran Hammer wrote: I haven't seen much feedback so I assume this is almost ready for LC. I will apply the suggestions below and will request a WGLC for -02. EH You should align with the Bearer spec on referencing httpbis P7, and apply some of the changes we discussed for