<div dir="ltr">I wonder if you can mention something about id_token could be used as a CSRF token when doing a POST either by xhr or through a <form>. If Stackexchange would have used OpenID Connect (for their own login), they could have used the id_token on every call (like account linking) instead of just relying on cookies. Even more, by using id_tokens in the Authorization header you could do CORS without having to mess with cookies and cross domains. <div>
<br></div><div>In short, OpenID Connect won't prevent the attack to happen, but a nice side effect of using such "architecture" is a more secure solution across the board.</div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Wed, May 15, 2013 at 4:15 AM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">The attack seems to be about using CSRF to link an account rather than the normal login. I need to look at it some more, but I guess the account linking code taking a POST without CSRF protection is the underlying cause. The Connect state and nonce would not be able to stop this as Connect is triggered by the Post before the Connect flow.<div>
<br></div><div><br><div><div><div class="h5"><div>On 2013-05-15, at 8:20 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:</div><br></div></div><blockquote type="cite">
<div lang="EN-US" link="blue" vlink="purple" style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<div><div class="h5"><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Can you propose concise security considerations text about the issues identified in the post? I’m almost done applying the changes agreed to in Mountain View to the specs, so the timing of adding this would be good, in terms of letting people review the text before we publish the Implementer’s Drafts.<u></u><u></u></span></div>
<div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> -- Mike<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"><span> </span><a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-" target="_blank">openid-</a><a href="mailto:specs-ab-bounces@lists.openid.net" target="_blank">specs-ab-bounces@lists.openid.net</a>]<span> </span><b>On Behalf Of<span> </span></b>Nat Sakimura<br>
<b>Sent:</b><span> </span>Tuesday, May 14, 2013 6:33 PM<br><b>To:</b><span> </span><a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br><b>Subject:</b><span> </span>[Openid-specs-ab] OAuth implementation vulnerability<u></u><u></u></span></div>
<div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">You guys probably new it, but it is a good read. <u></u><u></u></div>
<div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<a href="http://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts/" style="color:purple;text-decoration:underline" target="_blank">http://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts/</a><u></u><u></u></div>
</div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
BTW, perhaps we should add <span style="font-size:9.5pt;font-family:Arial,sans-serif;color:rgb(85,85,85)"> x-frame-options </span>to the spec? <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
Also, some tightening up in the security considerations? <u></u><u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
I know that this is really an implementation issues but the magnitude of the attack success make me think that perhaps it is a good idea to mention them at least. I being probably the one who want to finish the spec the most... <u></u><u></u></div>
</div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
--<span> </span><br>Nat Sakimura (=nat)<u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" style="color:purple;text-decoration:underline" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<u></u><u></u></div></div></div></div></div></div></div>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div></blockquote></div><br></div></div><br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br></div>