<HTML>
<HEAD>
<TITLE>Re: Does OAuth security vulnerability affect OpenID/OAuth hybrid?</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>I can certainly think of examples where you would NOT need the token returned, but I can also think of examples where it’s useful. I’d be wary of writing something that prohibits or recommends against it in conjunction with the OAuth security vulnerability, because I think they are unrelated.<BR>
<BR>
For example, an OP may want to re-send a freshly authorized token, if the previous one has timed out. This is how Facebook Connect behaves (if you re-visit a site more than an hour after the first auth, then a background ping will refresh the token).<BR>
<BR>
<BR>
On 5/12/09 10:06 PM, "Allen Tom" <<a href="atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi Luke,<BR>
<BR>
I don't think there's a session fixation issue with Hybrid, but I believe that several individuals raised concerns regarding auto-approval of OAuth tokens using regular OAuth, which is essentially the same thing as checkid_immediate mode in Hybrid.<BR>
<BR>
Is there really a reason why an RP would need the OAuth token returned in a checkid_immediate response if the user had previously authorized one on an earlier visit?<BR>
<BR>
Allen<BR>
<BR>
<BR>
Luke Shepard wrote: <BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'> Does OAuth security vulnerability affect OpenID/OAuth hybrid? (hijacking thread a bit)<BR>
<BR>
Allen-<BR>
<BR>
If I understand it correctly, the OAuth security issue doesn’t affect the hybrid spec in the same way.<BR>
<BR>
With the OAuth session fixation vulnerability, the problem comes if the attacker does the following:<BR>
<BR>
<BR>
</SPAN></FONT><OL><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Request a request token by pretending to request access
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Force the user to go to a url using that request token
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Muah! Calculate what the return_to url would have been, and use the pre-known request token to gain access to the user’s account info.
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'> <BR>
</SPAN></FONT></OL><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'> <BR>
In the OAuth hybrid flow, there is no pre-registered request token; instead, the token is returned, securely, in the URL. It is protected by the fact that OpenID requires the realm to match the return_to, and many providers can require that the Oauth request realm also match the OpenID realm. In this flow, there’s no way for the attacker to intercept the request_token before it makes its way back to the correct user.<BR>
<BR>
Perhaps the problem is more subtle than I understood, but I just want to make sure I’m clear on the issues.<BR>
<BR>
On 5/12/09 9:48 PM, "Allen Tom" <<a href="atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<BR>
<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi Nat,<BR>
<BR>
Here you go:<BR>
<BR>
<a href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html">http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html</a><BR>
<BR>
We might need to revise the spec to not support checkid_immediate for<BR>
the Hybrid flow, becuase auto-issuing OAuth access tokens is probably a<BR>
bad thing, in light of the recent OAuth security issue.<BR>
<BR>
Allen<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
Nat Sakimura wrote:<BR>
> Hi.<BR>
><BR>
> Where can I find the most current version of OpenID / OAuth hybrid spec draft?<BR>
> I would like to look at it to see if I can borrow as much from the<BR>
> draft for what I am thinking right now.<BR>
><BR>
> <BR>
<BR>
_______________________________________________<BR>
specs mailing list<BR>
<a href="specs@openid.net">specs@openid.net</a><BR>
<a href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a><BR>
<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE></BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>