Does OAuth security vulnerability affect OpenID/OAuth hybrid?
Allen Tom
atom at yahoo-inc.com
Wed May 13 05:06:30 UTC 2009
Hi Luke,
I don't think there's a session fixation issue with Hybrid, but I
believe that several individuals raised concerns regarding auto-approval
of OAuth tokens using regular OAuth, which is essentially the same thing
as checkid_immediate mode in Hybrid.
Is there really a reason why an RP would need the OAuth token returned
in a checkid_immediate response if the user had previously authorized
one on an earlier visit?
Allen
Luke Shepard wrote:
> (hijacking thread a bit)
>
> Allen-
>
> If I understand it correctly, the OAuth security issue doesn't affect
> the hybrid spec in the same way.
>
> With the OAuth session fixation vulnerability, the problem comes if
> the attacker does the following:
>
> 1. Request a request token by pretending to request access
> 2. Force the user to go to a url using that request token
> 3. Muah! Calculate what the return_to url would have been, and use
> the pre-known request token to gain access to the user's account
> info.
>
>
> In the OAuth hybrid flow, there is no pre-registered request token;
> instead, the token is returned, securely, in the URL. It is protected
> by the fact that OpenID requires the realm to match the return_to, and
> many providers can require that the Oauth request realm also match the
> OpenID realm. In this flow, there's no way for the attacker to
> intercept the request_token before it makes its way back to the
> correct user.
>
> Perhaps the problem is more subtle than I understood, but I just want
> to make sure I'm clear on the issues.
>
> On 5/12/09 9:48 PM, "Allen Tom" <atom at yahoo-inc.com> wrote:
>
> Hi Nat,
>
> Here you go:
>
> http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html
>
> We might need to revise the spec to not support checkid_immediate for
> the Hybrid flow, becuase auto-issuing OAuth access tokens is
> probably a
> bad thing, in light of the recent OAuth security issue.
>
> Allen
>
>
>
>
>
> Nat Sakimura wrote:
> > Hi.
> >
> > Where can I find the most current version of OpenID / OAuth
> hybrid spec draft?
> > I would like to look at it to see if I can borrow as much from the
> > draft for what I am thinking right now.
> >
> >
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090512/427c7c18/attachment.htm>
More information about the specs
mailing list