[Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH

Roland Hedberg roland at catalogix.se
Thu Aug 11 07:36:01 UTC 2016


When it comes to OP testing that is correct but we do have a RP library test tool.
Still need some more library implementors to verify it before we go public with it.

> 10 aug. 2016 kl. 22:28 skrev Anthony Nadalin via Openid-specs-ab <openid-specs-ab at lists.openid.net>:
> 
> The tests that exist today tests services not libraries
>   <>
> From: Nick Roy [mailto:nroy at internet2.edu] 
> Sent: Wednesday, August 10, 2016 1:21 PM
> To: John Bradley <ve7jtb at ve7jtb.com>
> Cc: Anthony Nadalin <tonynad at microsoft.com>; openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH
>  
> Gotta start somewhere, this seems like a good place. 
>  
> On Aug 10, 2016, at 2:14 PM, John Bradley <ve7jtb at ve7jtb.com <mailto:ve7jtb at ve7jtb.com>> wrote:
>  
> It might be easier to start with JWT libraries for validating signatures and basic token formatting, rather than trying to start with a complete Connect implementation profile.
>  
> We do currently have deployment profiles that people test against.  They do not however cover all the possible deployment scenarios.
>  
> John B.
>  
> On Aug 10, 2016, at 4:10 PM, Nick Roy via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
>  
> Agreed - and we were only able to get to a point in this one specific set of sectors with SAML just this year, after years of in-the-field experience.  The R&E community, for example, will probably need Roland's ODIC-fed specification, but that's still cooking. 
>  
> I wonder if a profiling exercise that targets the current large-scale deployers would help with initial development of the libraries, with an intentional effort to re-profile every $frequency to catch newer use cases and drive a roadmap to get those into the libraries?
>  
> Nick
>  
> On Aug 10, 2016, at 2:02 PM, Anthony Nadalin <tonynad at microsoft.com <mailto:tonynad at microsoft.com>> wrote:
>  
> I would agree to the concept of a similar effort or Oauth but it may be a daunting task to get agreement with the major players here since they each service more than the education/government sector. I would hate to have to do this sector by sector.
>  
> From: Nick Roy [mailto:nroy at internet2.edu <mailto:nroy at internet2.edu>] 
> Sent: Wednesday, August 10, 2016 12:57 PM
> To: Anthony Nadalin <tonynad at microsoft.com <mailto:tonynad at microsoft.com>>
> Cc: Adam Dawes <adawes at google.com <mailto:adawes at google.com>>; openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>
> Subject: Re: [Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH
>  
> The research and education and e-government multilateral SAML world has just gone through a profiling exercise intended to standardize implementations that claim to support multilateral SAML use cases.  I think it was well worth the effort: kantarainitiative.github.io/SAMLprofiles/fedinterop.html <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fkantarainitiative.github.io%2fSAMLprofiles%2ffedinterop.html&data=02%7c01%7ctonynad%40microsoft.com%7cefb2e258df44461b46a008d3c158746b%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064558056171715&sdata=YhvyYbLEXtgi2Gi%2f2moZBoW9nPXrBAQsHSTZ6HJS61U%3d>
>  
> Nick
>  
> On Aug 10, 2016, at 1:48 PM, Anthony Nadalin <tonynad at microsoft.com <mailto:tonynad at microsoft.com>> wrote:
>  
> In order for this to actually happen there would have to an agreed upon set of scenarios and specification set since there are a lot of “optional” and application specific usages
>  
> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net <mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of Nick Roy via Openid-specs-ab
> Sent: Wednesday, August 10, 2016 12:19 PM
> To: Adam Dawes <adawes at google.com <mailto:adawes at google.com>>
> Cc: openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>
> Subject: Re: [Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH
>  
> I'd be very happy to see a set of well-engineered, security-focused client libraries that cover the bang-for-the-buck target audiences.  I don't have any ability to help with that, but +1 the need.
>  
> Nick
>  
> On Aug 10, 2016, at 1:42 AM, Adam Dawes via Openid-specs-ab <Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>> wrote:
>  
> I just looked through the deck and it seems that most of these relate to OAuth2 based auth flows. At the end, one of the recommendations is to adopt OIDC. 
>  
> But in our experience, developers also get OIDC wrong far too often. The thing that is the biggest problem is proper ID token verification (issuer and audience checks). I really think that the community would be very well served with excellent open source JWT validation libraries on all major frameworks/languages. Google would be very interested in working with others on this problem. Please let me know if you have interest/ideas about how to improve this.
>  
> The other area that concerns me but doesn't seem to be a major issue yet is clientID spoofing on platforms like iOS. Users don't pay enough attention to consent screens so spoofing another client is an interesting phishing vector.
>  
> On Tue, Aug 9, 2016 at 10:00 PM, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> Just found a briefing in Blackhat 2016 titled “1000 WAYS TO DIE IN MOBILE OAUTH” <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.blackhat.com%2fus-16%2fbriefings.html%231000-ways-to-die-in-mobile-oauth&data=02%7c01%7ctonynad%40microsoft.com%7cabd2d76d79a846c392ea08d3c1532499%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064535238827541&sdata=eiH7cGqV7Y5%2fuDFFJkBsHjp3Sn3JoWKhjZWe8pcfu8A%3d>
>  
> Says:
>  
> >  (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication;”
> > [..snip..]
> > “The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable.
>  
> Maybe we should dig in.
>  
> --
> PLEASE READ :This e-mail is confidential and intended for the
> named recipient only. If you are not an intended recipient,
> please notify the sender  and delete this e-mail.
>  
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=02%7c01%7ctonynad%40microsoft.com%7cabd2d76d79a846c392ea08d3c1532499%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064535238827541&sdata=wt6JVgJu5kfHRX8%2bzssfX%2f%2bJX7oqqFbbR2qBCaqVA%2bQ%3d>
> 
> 
>  
> -- 
> Adam Dawes | Sr. Product Manager | adawes at google.com <mailto:adawes at google.com> | +1 650-214-2410
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=02%7c01%7ctonynad%40microsoft.com%7cefb2e258df44461b46a008d3c158746b%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064558056171715&sdata=EQW50uxc%2fIM%2fR5AXj5v9gNM9kNjv03fH71vREGoS8RU%3d>
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=02%7c01%7ctonynad%40microsoft.com%7c3265b18bb4544686fbca08d3c15bcbaf%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c636064572398575230&sdata=Jw3sWvCdS1odUpS%2buOMhAtMFMhWHd9uhNPL%2fqQ7OP7U%3d>
>  
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160811/101a9a1a/attachment-0001.html>


More information about the Openid-specs-ab mailing list