[Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH

Nick Roy nroy at internet2.edu
Wed Aug 10 19:56:42 UTC 2016

The research and education and e-government multilateral SAML world has just gone through a profiling exercise intended to standardize implementations that claim to support multilateral SAML use cases.  I think it was well worth the effort: kantarainitiative.github.io/SAMLprofiles/fedinterop.html<http://kantarainitiative.github.io/SAMLprofiles/fedinterop.html>


On Aug 10, 2016, at 1:48 PM, Anthony Nadalin <tonynad at microsoft.com<mailto:tonynad at microsoft.com>> wrote:

In order for this to actually happen there would have to an agreed upon set of scenarios and specification set since there are a lot of “optional” and application specific usages

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nick Roy via Openid-specs-ab
Sent: Wednesday, August 10, 2016 12:19 PM
To: Adam Dawes <adawes at google.com<mailto:adawes at google.com>>
Cc: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH

I'd be very happy to see a set of well-engineered, security-focused client libraries that cover the bang-for-the-buck target audiences.  I don't have any ability to help with that, but +1 the need.


On Aug 10, 2016, at 1:42 AM, Adam Dawes via Openid-specs-ab <Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>> wrote:

I just looked through the deck and it seems that most of these relate to OAuth2 based auth flows. At the end, one of the recommendations is to adopt OIDC.

But in our experience, developers also get OIDC wrong far too often. The thing that is the biggest problem is proper ID token verification (issuer and audience checks). I really think that the community would be very well served with excellent open source JWT validation libraries on all major frameworks/languages. Google would be very interested in working with others on this problem. Please let me know if you have interest/ideas about how to improve this.

The other area that concerns me but doesn't seem to be a major issue yet is clientID spoofing on platforms like iOS. Users don't pay enough attention to consent screens so spoofing another client is an interesting phishing vector.

On Tue, Aug 9, 2016 at 10:00 PM, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
Just found a briefing in Blackhat 2016 titled “1000 WAYS TO DIE IN MOBILE OAUTH”<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.blackhat.com%2fus-16%2fbriefings.html%231000-ways-to-die-in-mobile-oauth&data=02%7c01%7ctonynad%40microsoft.com%7cabd2d76d79a846c392ea08d3c1532499%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064535238827541&sdata=eiH7cGqV7Y5%2fuDFFJkBsHjp3Sn3JoWKhjZWe8pcfu8A%3d>


>  (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication;”
> [..snip..]
> “The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable.

Maybe we should dig in.

PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

Adam Dawes | Sr. Product Manager | adawes at google.com<mailto:adawes at google.com> | +1 650-214-2410

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160810/ae822d3f/attachment-0001.html>

More information about the Openid-specs-ab mailing list