Does OAuth security vulnerability affect OpenID/OAuth hybrid?

Luke Shepard lshepard at facebook.com
Wed May 13 05:19:44 UTC 2009


I can certainly think of examples where you would NOT need the token returned, but I can also think of examples where it's useful. I'd be wary of writing something that prohibits or recommends against it in conjunction with the OAuth security vulnerability, because I think they are unrelated.

For example, an OP may want to re-send a freshly authorized token, if the previous one has timed out. This is how Facebook Connect behaves (if you re-visit a site more than an hour after the first auth, then a background ping will refresh the token).


On 5/12/09 10:06 PM, "Allen Tom" <atom at yahoo-inc.com> wrote:

Hi Luke,

I don't think there's a session fixation issue with Hybrid, but I believe that several individuals raised concerns regarding auto-approval of OAuth tokens using regular OAuth, which is essentially the same thing as checkid_immediate mode in Hybrid.

Is there really a reason why an RP would need the OAuth token returned in a checkid_immediate response if the user had previously authorized one on an earlier visit?

Allen


Luke Shepard wrote:
Does OAuth security vulnerability affect OpenID/OAuth hybrid? (hijacking thread a bit)

Allen-

If I understand it correctly, the OAuth security issue doesn't affect the hybrid spec in the same way.

With the OAuth session fixation vulnerability, the problem comes if the attacker does the following:



 1.  Request a request token by pretending to request access
 2.  Force the user to go to a url using that request token
 3.  Muah! Calculate what the return_to url would have been, and use the pre-known request token to gain access to the user's account info.
 4.

In the OAuth hybrid flow, there is no pre-registered request token; instead, the token is returned, securely, in the URL. It is protected by the fact that OpenID requires the realm to match the return_to, and many providers can require that the Oauth request realm also match the OpenID realm. In this flow, there's no way for the attacker to intercept the request_token before it makes its way back to the correct user.

Perhaps the problem is more subtle than I understood, but I just want  to make sure I'm clear on the issues.

On 5/12/09 9:48 PM, "Allen Tom" <atom at yahoo-inc.com> wrote:


Hi Nat,

Here you go:

 http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html

We might need to revise the spec to not support checkid_immediate for
the Hybrid flow, becuase auto-issuing OAuth access tokens is probably a
bad thing, in light of the recent OAuth security issue.

Allen





Nat Sakimura wrote:
> Hi.
>
> Where can I find the most current version of OpenID / OAuth hybrid spec draft?
> I would like to look at it to see if I can borrow as much from the
> draft for what I am thinking right now.
>
>

_______________________________________________
specs mailing list
 specs at openid.net
 http://openid.net/mailman/listinfo/specs




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090512/3dc84836/attachment.htm>


More information about the specs mailing list