[Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH

John Bradley ve7jtb at ve7jtb.com
Wed Aug 10 20:14:53 UTC 2016


It might be easier to start with JWT libraries for validating signatures and basic token formatting, rather than trying to start with a complete Connect implementation profile.

We do currently have deployment profiles that people test against.  They do not however cover all the possible deployment scenarios.

John B.

> On Aug 10, 2016, at 4:10 PM, Nick Roy via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> Agreed - and we were only able to get to a point in this one specific set of sectors with SAML just this year, after years of in-the-field experience.  The R&E community, for example, will probably need Roland's ODIC-fed specification, but that's still cooking.
> 
> I wonder if a profiling exercise that targets the current large-scale deployers would help with initial development of the libraries, with an intentional effort to re-profile every $frequency to catch newer use cases and drive a roadmap to get those into the libraries?
> 
> Nick
> 
>> On Aug 10, 2016, at 2:02 PM, Anthony Nadalin <tonynad at microsoft.com <mailto:tonynad at microsoft.com>> wrote:
>> 
>> I would agree to the concept of a similar effort or Oauth but it may be a daunting task to get agreement with the major players here since they each service more than the education/government sector. I would hate to have to do this sector by sector.
>>   <>
>> From: Nick Roy [mailto:nroy at internet2.edu <mailto:nroy at internet2.edu>] 
>> Sent: Wednesday, August 10, 2016 12:57 PM
>> To: Anthony Nadalin <tonynad at microsoft.com <mailto:tonynad at microsoft.com>>
>> Cc: Adam Dawes <adawes at google.com <mailto:adawes at google.com>>; openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>
>> Subject: Re: [Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH
>>  
>> The research and education and e-government multilateral SAML world has just gone through a profiling exercise intended to standardize implementations that claim to support multilateral SAML use cases.  I think it was well worth the effort: kantarainitiative.github.io/SAMLprofiles/fedinterop.html <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fkantarainitiative.github.io%2fSAMLprofiles%2ffedinterop.html&data=02%7c01%7ctonynad%40microsoft.com%7cefb2e258df44461b46a008d3c158746b%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064558056171715&sdata=YhvyYbLEXtgi2Gi%2f2moZBoW9nPXrBAQsHSTZ6HJS61U%3d>
>>  
>> Nick
>>  
>> On Aug 10, 2016, at 1:48 PM, Anthony Nadalin <tonynad at microsoft.com <mailto:tonynad at microsoft.com>> wrote:
>>  
>> In order for this to actually happen there would have to an agreed upon set of scenarios and specification set since there are a lot of “optional” and application specific usages
>>  
>> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net <mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of Nick Roy via Openid-specs-ab
>> Sent: Wednesday, August 10, 2016 12:19 PM
>> To: Adam Dawes <adawes at google.com <mailto:adawes at google.com>>
>> Cc: openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>
>> Subject: Re: [Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH
>>  
>> I'd be very happy to see a set of well-engineered, security-focused client libraries that cover the bang-for-the-buck target audiences.  I don't have any ability to help with that, but +1 the need.
>>  
>> Nick
>>  
>> On Aug 10, 2016, at 1:42 AM, Adam Dawes via Openid-specs-ab <Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>> wrote:
>>  
>> I just looked through the deck and it seems that most of these relate to OAuth2 based auth flows. At the end, one of the recommendations is to adopt OIDC. 
>>  
>> But in our experience, developers also get OIDC wrong far too often. The thing that is the biggest problem is proper ID token verification (issuer and audience checks). I really think that the community would be very well served with excellent open source JWT validation libraries on all major frameworks/languages. Google would be very interested in working with others on this problem. Please let me know if you have interest/ideas about how to improve this.
>>  
>> The other area that concerns me but doesn't seem to be a major issue yet is clientID spoofing on platforms like iOS. Users don't pay enough attention to consent screens so spoofing another client is an interesting phishing vector.
>>  
>> On Tue, Aug 9, 2016 at 10:00 PM, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
>> Just found a briefing in Blackhat 2016 titled “1000 WAYS TO DIE IN MOBILE OAUTH” <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.blackhat.com%2fus-16%2fbriefings.html%231000-ways-to-die-in-mobile-oauth&data=02%7c01%7ctonynad%40microsoft.com%7cabd2d76d79a846c392ea08d3c1532499%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064535238827541&sdata=eiH7cGqV7Y5%2fuDFFJkBsHjp3Sn3JoWKhjZWe8pcfu8A%3d>
>>  
>> Says:
>>  
>> >  (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication;”
>> > [..snip..]
>> > “The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable.
>>  
>> Maybe we should dig in.
>>  
>> --
>> PLEASE READ :This e-mail is confidential and intended for the
>> named recipient only. If you are not an intended recipient,
>> please notify the sender  and delete this e-mail.
>>  
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=02%7c01%7ctonynad%40microsoft.com%7cabd2d76d79a846c392ea08d3c1532499%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064535238827541&sdata=wt6JVgJu5kfHRX8%2bzssfX%2f%2bJX7oqqFbbR2qBCaqVA%2bQ%3d>
>> 
>> 
>>  
>> -- 
>> Adam Dawes | Sr. Product Manager | adawes at google.com <mailto:adawes at google.com> | +1 650-214-2410
>>  
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=02%7c01%7ctonynad%40microsoft.com%7cefb2e258df44461b46a008d3c158746b%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064558056171715&sdata=EQW50uxc%2fIM%2fR5AXj5v9gNM9kNjv03fH71vREGoS8RU%3d>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160810/e4943e76/attachment-0001.html>


More information about the Openid-specs-ab mailing list