>> OAuth issues security tokens without indicating where they can be safely
>> used. While that fatal flaw remains, it is pointless to specify the use of
>> the Origin header.
> I don't think anything should be in the base as the different token profiles
> can stipulate the audience.
But t
.
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
Manger, James H
Sent: Sunday, March 27, 2011 7:42 PM
To: Eran Hammer-Lahav; OAuth Mailing List
Subject: Re: [OAUTH-WG] Indicating origin of OAuth credentials to combat login
CSRF
>> Q. Should an OAuth client app li
>> Q. Should an OAuth client app list the authorization server in the Origin
>> header of requests to resource servers?
> Was there any conclusion?
My conclusion is that the Origin request header is the right place to list the
OAuth authorization server to combat login CSRF attacks against
Was there any conclusion?
EHL
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
Manger, James H
Sent: Thursday, February 24, 2011 4:09 PM
To: OAuth Mailing List; web...@ietf.org
Subject: [OAUTH-WG] Indicating origin of OAuth credentials to combat login CSRF
Q. Should an
; Manger, James H
Cc: Karen P. Lewison
Subject: RE: [OAUTH-WG] Indicating origin of OAuth credentials to combat login
CSRF
Hi James,
I think I got it now. Thanks for explaining it so patiently.
The attack is only possible if there are multiple independent authorization
servers that d
: Francisco Corella [mailto:fcore...@pomcor.com]
Sent: Tuesday, 1 March 2011 4:17 PM
To: OAuth Mailing List; Manger, James H
Cc: Karen P. Lewison
Subject: RE: [OAUTH-WG] Indicating origin of OAuth credentials to combat login
CSRF
Hi James,
I think I got it now. Thanks for explaining it so patien
k endpoint, the resource servers are
Facebook endpoints, and the attack is not possible.
Francisco
--- On Tue, 3/1/11, Manger, James H wrote:
From: Manger, James H
Subject: RE: [OAUTH-WG] Indicating origin of OAuth credentials to combat login
CSRF
To: "fcore...@pomcor.com" , "OAut
Francisco,
>> A client that follows HTTP redirects (or Link: header or any
>> other variety of hypertext) might get directed to an 2nd
>> service while still using the token from the 1st service.
> But why would a legitimate authorization server redirect the
> client to an attacker's server?
Hi James,
> A client that follows HTTP redirects (or Link: header or any
> other variety of hypertext) might get directed to an 2nd
> service while still using the token from the 1st service.
But why would a legitimate authorization server redirect the
client to an attacker's server?
Francisco
Hi Francisco,
>> Q. Should an OAuth client app list the authorization server
>> in the Origin header of requests to resource servers?
>>
>> In OAuth (delegation) flows a server dynamically issues
>> credentials (such as a bearer token) to a client app to use
>> in subsequent HTTP requests t
Torsten Lodderstedt said: "I would expect the token to carry information about
its issuer. Would this be sufficient in order to detect CSRF?"
No.
A Login CSRF attack involves a legitimate token (listing the legitimate issuer)
that an attacker received being given to a victim client. The client
Hi James,
I would expect the token to carry information about its issuer. Would
this be sufficient in order to detect CSRF?
regards,
Torsten.
Am 25.02.2011 01:08, schrieb Manger, James H:
Q. Should an OAuth client app list the authorization server in the
Origin header of requests to resour
a pre-session cookie and
implementing a state parameter that is not even mentioned in the specification?
Francisco
--- On Sat, 2/26/11, Brian Eaton wrote:
From: Brian Eaton
Subject: Re: [OAUTH-WG] Indicating origin of OAuth credentials to combat login
CSRF
To: fcore...@pomcor.com
Cc: "
I don't think the advice from the OAuth 1.0a spec is wrong:
http://oauth.net/core/1.0a/#anchor38
"Cross-Site Request Forgery (CSRF) is a web-based attack whereby HTTP
requests are transmitted from a user that the website trusts or has
authenticated. CSRF attacks on OAuth approvals can allow an at
Hi James,
You raise an interesting point. I hadn't thought about the
threat of Login CSRF.
> Q. Should an OAuth client app list the authorization server
> in the Origin header of requests to resource servers?
>
> In OAuth (delegation) flows a server dynamically issues
> credentials (such as a b
Q. Should an OAuth client app list the authorization server in the Origin
header of requests to resource servers?
In OAuth (delegation) flows a server dynamically issues credentials (such as a
bearer token) to a client app to use in subsequent HTTP requests to other
servers. To combat login c
16 matches
Mail list logo
