[Openid-specs-ab] Lite Draft 8

John Bradley ve7jtb at ve7jtb.com
Thu Aug 18 02:35:17 UTC 2011

The problem as Facebook has discovered with their token leakage problem is that anyone who gets a access token for the protected resource (graph API or twitter api) can then use that token in the implicit/client side flow to impersonate the user in OAuth 2.0 bearer token.  

The token for the resource is generaly longer lived than the users interactive session that wants to expire once the user logs out of the IdP.  
Some people want the access token to be good for multiple endpoints until it is revoked.

(That reminds me,  we need to say something about the grant lifetime for the scopes in openID for interoperability.)

We did discuss using a JWT for the access token so that it could do double duty.   
Some people like Sales Force have existing code for there access tokens so they don't want to change that.
Another issue is token size,  making the session token carry all of the scope information for the user-info and other endpoints may make the token too large to be practical.

It would also be more complicated for the RP to get right, than keeping the session and access grant tokens separate.

A common example of what not to do with OAuth from a privacy point of view is the twitter example of implicitly tying the identity to the grant of access to the persons twitter feed.  
Allowing everyone you log into to post to twitter as you is perhaps not a good thing when generalized to a SSO solution.

The conversations I have had with NIST/GSA people indicate there strong preference for separating the session grant from other grants.   They consider some of the existing OAuth systems vulnerable.

Perhaps a security review discussion is something we should add to the Sep meeting.

John B.
On 2011-08-17, at 9:19 PM, Allen Tom wrote:

> Hi John - can you elaborate a bit more on why it's a "real security problem" in the Twitter case? Can you outline an example exploit?
> Thanks
> Allen
> On Tue, Aug 16, 2011 at 4:31 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> The two tokens have potentially different scopes and lifetimes.
> There are good reasons for separating resource authorization from session authentication.
> It is true that twitter and others confuse those.   That however is a real security problem.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110817/e9a182a7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110817/e9a182a7/attachment-0001.p7s>

More information about the Openid-specs-ab mailing list