[Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH
John Bradley
ve7jtb at ve7jtb.com
Wed Aug 10 20:14:53 UTC 2016
It might be easier to start with JWT libraries for validating signatures and basic token formatting, rather than trying to start with a complete Connect implementation profile.
We do currently have deployment profiles that people test against. They do not however cover all the possible deployment scenarios.
John B.
> On Aug 10, 2016, at 4:10 PM, Nick Roy via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
> Agreed - and we were only able to get to a point in this one specific set of sectors with SAML just this year, after years of in-the-field experience. The R&E community, for example, will probably need Roland's ODIC-fed specification, but that's still cooking.
>
> I wonder if a profiling exercise that targets the current large-scale deployers would help with initial development of the libraries, with an intentional effort to re-profile every $frequency to catch newer use cases and drive a roadmap to get those into the libraries?
>
> Nick
>
>> On Aug 10, 2016, at 2:02 PM, Anthony Nadalin <tonynad at microsoft.com <mailto:tonynad at microsoft.com>> wrote:
>>
>> I would agree to the concept of a similar effort or Oauth but it may be a daunting task to get agreement with the major players here since they each service more than the education/government sector. I would hate to have to do this sector by sector.
>> <>
>> From: Nick Roy [mailto:nroy at internet2.edu <mailto:nroy at internet2.edu>]
>> Sent: Wednesday, August 10, 2016 12:57 PM
>> To: Anthony Nadalin <tonynad at microsoft.com <mailto:tonynad at microsoft.com>>
>> Cc: Adam Dawes <adawes at google.com <mailto:adawes at google.com>>; openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>
>> Subject: Re: [Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH
>>
>> The research and education and e-government multilateral SAML world has just gone through a profiling exercise intended to standardize implementations that claim to support multilateral SAML use cases. I think it was well worth the effort: kantarainitiative.github.io/SAMLprofiles/fedinterop.html <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fkantarainitiative.github.io%2fSAMLprofiles%2ffedinterop.html&data=02%7c01%7ctonynad%40microsoft.com%7cefb2e258df44461b46a008d3c158746b%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064558056171715&sdata=YhvyYbLEXtgi2Gi%2f2moZBoW9nPXrBAQsHSTZ6HJS61U%3d>
>>
>> Nick
>>
>> On Aug 10, 2016, at 1:48 PM, Anthony Nadalin <tonynad at microsoft.com <mailto:tonynad at microsoft.com>> wrote:
>>
>> In order for this to actually happen there would have to an agreed upon set of scenarios and specification set since there are a lot of “optional” and application specific usages
>>
>> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net <mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of Nick Roy via Openid-specs-ab
>> Sent: Wednesday, August 10, 2016 12:19 PM
>> To: Adam Dawes <adawes at google.com <mailto:adawes at google.com>>
>> Cc: openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>
>> Subject: Re: [Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH
>>
>> I'd be very happy to see a set of well-engineered, security-focused client libraries that cover the bang-for-the-buck target audiences. I don't have any ability to help with that, but +1 the need.
>>
>> Nick
>>
>> On Aug 10, 2016, at 1:42 AM, Adam Dawes via Openid-specs-ab <Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>> wrote:
>>
>> I just looked through the deck and it seems that most of these relate to OAuth2 based auth flows. At the end, one of the recommendations is to adopt OIDC.
>>
>> But in our experience, developers also get OIDC wrong far too often. The thing that is the biggest problem is proper ID token verification (issuer and audience checks). I really think that the community would be very well served with excellent open source JWT validation libraries on all major frameworks/languages. Google would be very interested in working with others on this problem. Please let me know if you have interest/ideas about how to improve this.
>>
>> The other area that concerns me but doesn't seem to be a major issue yet is clientID spoofing on platforms like iOS. Users don't pay enough attention to consent screens so spoofing another client is an interesting phishing vector.
>>
>> On Tue, Aug 9, 2016 at 10:00 PM, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
>> Just found a briefing in Blackhat 2016 titled “1000 WAYS TO DIE IN MOBILE OAUTH” <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.blackhat.com%2fus-16%2fbriefings.html%231000-ways-to-die-in-mobile-oauth&data=02%7c01%7ctonynad%40microsoft.com%7cabd2d76d79a846c392ea08d3c1532499%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064535238827541&sdata=eiH7cGqV7Y5%2fuDFFJkBsHjp3Sn3JoWKhjZWe8pcfu8A%3d>
>>
>> Says:
>>
>> > (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication;”
>> > [..snip..]
>> > “The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable.
>>
>> Maybe we should dig in.
>>
>> --
>> PLEASE READ :This e-mail is confidential and intended for the
>> named recipient only. If you are not an intended recipient,
>> please notify the sender and delete this e-mail.
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=02%7c01%7ctonynad%40microsoft.com%7cabd2d76d79a846c392ea08d3c1532499%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064535238827541&sdata=wt6JVgJu5kfHRX8%2bzssfX%2f%2bJX7oqqFbbR2qBCaqVA%2bQ%3d>
>>
>>
>>
>> --
>> Adam Dawes | Sr. Product Manager | adawes at google.com <mailto:adawes at google.com> | +1 650-214-2410
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=02%7c01%7ctonynad%40microsoft.com%7cefb2e258df44461b46a008d3c158746b%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064558056171715&sdata=EQW50uxc%2fIM%2fR5AXj5v9gNM9kNjv03fH71vREGoS8RU%3d>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160810/e4943e76/attachment.html>
More information about the Openid-specs-ab
mailing list