[Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH

Adam Dawes adawes at google.com
Thu Aug 11 17:49:40 UTC 2016


We also have JWT validation
<https://firebase.google.com/docs/auth/server/verify-id-tokens#verify_id_tokens_using_the_firebase_sdk>
built into our Firebase server SDKs
<https://firebase.google.com/docs/server/setup> for Java and JS. It's our
intention to pull the JWT validation part out and open source it. We'd
especially love to have Go and Python versions of this too.

I think OAuth libraries would be very valuable too but that is a much
bigger scope. I think if we can begin with OIDC ID token validation and
minting, that would be a huge leap forward.

For developer simplicity, I think it would also be really useful to have a
standardized config file format that lists issuers, their clientIDs and
private keys (for token minting). Something like:

{"Trusted IDPs" : [

{ "issuer": "https://accounts.google.com",
"clientID":"407408718192.apps.googleusercontent.com",
"private_key_id": "dd61bc1c4650952852514fbb3c4da84287383911",
 "private_key": "-----BEGIN PRIVATE
KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDkfgHXC3pEgu55\nt9REvoT+cZhla+jetdwaLnEq7o89pb5Qn1EuEs+gIUkSYkBCWgS7lfbrivuzjm0C\nvTUOJauBLMQQvpyC50bMSkPs/zCrZ7e/axFWrYSZNO3ts+3HjBz3iLS+IUrGVwV2\nTABkh/y6fgoiKU9e/P7Ao8foIQz6en3VsYE/BU1vj2VXnUKwykkk9LAHh+6HOtxM\naUP8z829PHcrnDmpQwhPOQeObQIBOc5op8Z1E6NptWFI5R22yky7jg4KzwyyC41I\n8QnBMlJ/IuZMfdTsWFSSQ7geG/q2lCHLp+uUOLIgxUu+sSihictWpm8aeQv3cuF/\nGxKfQEBrAgMBAAECggEAPmMBUZv6qFYvkuBUfuieG3McrySFkrmI/UUM9THpvmVQ\nz2aQncnZEtnDv9c/wF4fyLArmSh7jQ0oSoUqxVAXwc9dQU0qIrvPItxsK3uJ6GML\nUqKDO21pNQO0qyBjngZtqlCTOQ6SAhGkliYuPUS8Bpd/YNBysXbWf/a4EHNlvcXL\n9GwjnxRXYrtjuMnTLw5orYv78Ne92Oe9NndIN9GPUkIy7S/PBGLM0nz3nb5ZZYm5\nT5RoLQrVF4m4VAV4+NJYsVrte2pGB7m0HIpVxCR7nGOTX0fOUydNAkQ97a6qHOtq\nUyhJ+l8b/XhdEzb9on1rCDqXbbPEnWN2/5DvXdaPIQKBgQD+VhuuSQtINj0MtU3g\nXYaNtAAn54p4Q80aCBB6RNrtWvCNlU8mQj8SB/7dU/PyzczcnXwDwuk7mmrKXjZj\nb9eQ44xTCl0u2EwfoUcpkCWo26prdm+97fPoQhYm4IBtbtPw/rzcKvT3psKTyCnK\n2opyw4wGiDApNd012e4elQUKowKBgQDl/J9Z/xrN3wIUlwO0B/1gc+SUo2ErkSz8\nUeA2i+VSx/cWNBdH0YtIsZWjmCbz2Ti2t8aAuO63jHfxZQF2SeBfBxSaYMm+sOvA\niwtTuUz88mzlHvj6pzbIe070s0i/uxik3/6HhNT2aZTsRgO8EH0xS0pBFNQVTHiC\nJEZ2clrXmQKBgBmQGAolZ0/ju7EaS/CAFfUKIXXhTMaXsfaq1tUjNInkuQbR+fmT\ncPlj+lbOiFdgHfYSkhNitMR72b3rSDYoWJdEd6clBIaf0M7hC+D+jvpw0akpZ0PE\ntd4jPky8Bcx59i1jvSG345U8mpP161VrL70nMFy7tXN+6XPvKoLCYZZXAoGAQRuA\nHSEr/GYKl7ucr8WnRDvq1O1fn87Mdm3TVH3MIOA9IcsDYDCBBsZHP3XeaR/wf0GN\nb3lrEwkwF2VpwYvuedhuS7nkwxgg1XRHc588nUsf6skW4RafWqgV1Q5AJQ8ZTeuf\nicvf4hZHs4+qlP3yAxd2YPA9jf4FC4qra/K5ptkCgYEA9WWO1D/9Zpcj4jnc9faN\n4+EniRdPc44tHPKx8VTIZ+GkeJ2Gbu/EqQFeYtEQojx24YyES6Bhz2hfWJ1lCHbj\nts7Alt3D5RkDgsRKVZ0kGXi7BkHCRKpDTmH05MSSy5ArVuy9jKrAYQuhlSxF6+x8\nVa175koIHbqLKBwU8guyFAM=\n-----END
PRIVATE KEY-----\n"}

]}

That way, when the RP registers for a clientID with the IDP, the IDP can
autogenerate this snippet which can get easily appended to their whitelist
config file and save developers from having to understand issuer and
audience checks.

Other than Roland and Brian, who else would be interested in working on
such an open source project?

thanks,
AD

On Thu, Aug 11, 2016 at 9:34 AM, Brian Campbell <bcampbell at pingidentity.com>
wrote:

>
> On Wed, Aug 10, 2016 at 1:42 AM, Adam Dawes via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>>
>> But in our experience, developers also get OIDC wrong far too often. The
>> thing that is the biggest problem is proper ID token verification (issuer
>> and audience checks). I really think that the community would be very well
>> served with excellent open source JWT validation libraries on all major
>> frameworks/languages. Google would be very interested in working with
>> others on this problem. Please let me know if you have interest/ideas about
>> how to improve this.
>>
>>
> I've got a self-proclaimed excellent open source JWT validation library
> for Java <https://bitbucket.org/b_c/jose4j/wiki/Home> that is able and
> willing to help the cause.
>
>



-- 
Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160811/cb0edda5/attachment.html>


More information about the Openid-specs-ab mailing list