Does OAuth security vulnerability affect OpenID/OAuth hybrid?

Andrew Arnott andrewarnott at gmail.com
Thu May 14 00:05:00 UTC 2009


I would expect a decent OP to consider that it goes without saying that
checkid_immediate wouldn't have a reasonable OAuth token authorizing
scenario and block it.  So I agree it's good to call it out in the spec.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Tue, May 12, 2009 at 10:06 PM, Allen Tom <atom at yahoo-inc.com> wrote:

>  Hi Luke,
>
> I don't think there's a session fixation issue with Hybrid, but I believe
> that several individuals raised concerns regarding auto-approval of OAuth
> tokens using regular OAuth, which is essentially the same thing as
> checkid_immediate mode in Hybrid.
>
> Is there really a reason why an RP would need the OAuth token returned in a
> checkid_immediate response if the user had previously authorized one on an
> earlier visit?
>
> Allen
>
>
> Luke Shepard wrote:
>
> (hijacking thread a bit)
>
> Allen-
>
> If I understand it correctly, the OAuth security issue doesn’t affect the
> hybrid spec in the same way.
>
> With the OAuth session fixation vulnerability, the problem comes if the
> attacker does the following:
>
>
>    1. Request a request token by pretending to request access
>    2. Force the user to go to a url using that request token
>    3. Muah! Calculate what the return_to url would have been, and use the
>    pre-known request token to gain access to the user’s account info.
>
>
> In the OAuth hybrid flow, there is no pre-registered request token;
> instead, the token is returned, securely, in the URL. It is protected by the
> fact that OpenID requires the realm to match the return_to, and many
> providers can require that the Oauth request realm also match the OpenID
> realm. In this flow, there’s no way for the attacker to intercept the
> request_token before it makes its way back to the correct user.
>
> Perhaps the problem is more subtle than I understood, but I just want  to
> make sure I’m clear on the issues.
>
> On 5/12/09 9:48 PM, "Allen Tom" <atom at yahoo-inc.com> wrote:
>
>  Hi Nat,
>
> Here you go:
>
>
> http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html
>
> We might need to revise the spec to not support checkid_immediate for
> the Hybrid flow, becuase auto-issuing OAuth access tokens is probably a
> bad thing, in light of the recent OAuth security issue.
>
> Allen
>
>
>
>
>
> Nat Sakimura wrote:
> > Hi.
> >
> > Where can I find the most current version of OpenID / OAuth hybrid spec
> draft?
> > I would like to look at it to see if I can borrow as much from the
> > draft for what I am thinking right now.
> >
> >
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090513/d3425bf4/attachment.htm>


More information about the specs mailing list