[Openid-specs-ab] Transient Client Secret Extension for OAuth

Nat Sakimura sakimura at gmail.com
Mon Jul 29 07:23:29 UTC 2013


Hi Ryo,

So, are you concerned with the client not generating proper random secret
or state?
Yes, generating a proper random is actually kind of hard. So generating it
at the server makes kind of sense.
At the same time, I am a bit concerned about the increased attack surface
and the server load.

What do others think of the idea?

Nat



2013/7/29 Ryo Ito <ritou.06 at gmail.com>

> Hi,
>
> I have an idea like this.
>
> OAuth CSRF Protection Extension
>
>
> http://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgT0F1dGggMi4wIENTUkYgUHJvdGVjdGlvbiBFeHRlbnNpb24KCnBhcnRpY2lwYW50ICJVc2VyQWdlbnQiAAoOQ2xpAAMSU2VydmVyABsPAF4HZWRSZXNvdXJjZSIKCgBNCS0-AEMGOiBCZWdpbiBBdXRob3JpemF0AIEGBQBgBi0-AFMGOiAAWwYgU3RhdGUgUmVxdWVzdApub3RlIHJpZ2h0IG9mIACBEwYKUE9TVCAvc3RhdGUKYwCBJwVfaWQ9YWFhCmVuZCBub3RlCgCBKAYAUwpJc3N1ZSBhbmQgU2F2ZSBzAIFIBV8APgUsIFxuAAQNX3NlY3JldCBcbiB3aXRoIABaCQCAfw8AggwGCnsKICIARAwiOiJ4eHgiLAAIDwBPByI6Inl5eQAZBQCBMgkiIDogImFhYSIsCn0AgTESAII9CACCEQ9zcG9uc2UAghsGbGVmAE1FZXhwaXJlc19pbiI6MzYwMACBAwwAgycJAIQYBiA6AIJEBnIAgQIHIHBhcmFtZXRlcnMAgjAGb3duIHNlcwCEcQYAg2QIAIRpCToAhAAOAINnCQCEMgsAhBAIAINuFkdFVCAvYQCESwdlPwoAgQAIX3R5cGU9Y29kZSYAhA4OJgouLi4KAINtDD14eHgAgVULAIQjEFZhbGlkYXRlAIN2CgCEOwUAhC8MAIUZBm92ZXIgAIZDCSwAhBAIAIVhDgBOGgCFDAVjb2RlAIRoBgBOEgCEFF0gImNvZGUAhH0Fenp6IgCDZQ0Ahj0IAIMbGwCEfwcAh2ETAIUMDgCDKgxjYWxsYmFjaz9jb2RlPXp6eiYAgnsbAIRlEVZlcmlmeQCCeQ4AiDsRQWNjZXNzIFRva2UAhFIKAIgxG3Rva2VuCmdyYW50AIQ7BgCEUggAiScFXwCESQYAiBETPXl5eSYKAIE_CQCEXhQAhD0kb2RlLACEXAtcbgCEWREAiQ0HAIgEEQCBWg8Ah3kcImEAghAFXwCBZwUiOiIuLi4AiSAFcmVmcmVzaAAIEC4uLgCHahQAi2EROiAAi3QIAIJvBwCHFBxwaQoAegw9AIIUDQCMPBEAjDcKAIxXCA&s=patent
>
> (There is not draft specifications about this yet.)
>
> About confidential clients, there are clients who has risk of CSRF without
> using the state parameter correctly, but it is not easy for server to
> detect these clients.
> I think that the string of tcs( and tcsh) in your specifications should be
> generated on the Server-side.
>
> Ryo.
>
>
> 2013/7/29 Nat Sakimura <sakimura at gmail.com>
>
>> As some of you knows, passing the code securely to a native app on iOS
>> platform is next to impossible. Malicious application may register the same
>> custom scheme as the victim application and hope to obtain the code, whose
>> success rate is rather high.
>>
>> We have discussed about it during the OpenID Conenct Meeting at IETF 87
>> today, and I have captured the discussion in the form of I-D. It is pretty
>> short and hopefully easy to read.
>>
>> You can find it at:
>>
>> https://bitbucket.org/Nat/drafts/src/
>>
>> Comments are welcome.
>>
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>
>
> --
> ====================
> Ryo Ito
> Email : ritou.06 at gmail.com
> ====================
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130729/faf4b9ef/attachment-0001.html>


More information about the Openid-specs-ab mailing list