Luke, do you mean some kind of OAuth access token renewal process over checkid_immediate? Sounds interesting, although if renewal was mandated by the OP I would expect it to be so the user could explicitly validate the RP should still be authorized. Otherwise why not just issue a longer-lasting token in the first place?<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Wed, May 13, 2009 at 5:13 PM, Luke Shepard <span dir="ltr"><<a href="mailto:lshepard@facebook.com">lshepard@facebook.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
As I suggested, an OP may want to give an updated session via checkid-immediate. Facebook Connect does this, and it seems like a legit use case to me.<br>
<br>
________________________________<br>
From: Andrew Arnott <<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>><br>
To: Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>
Cc: Luke Shepard; OpenID Specs Mailing List <<a href="mailto:specs@openid.net">specs@openid.net</a>><br>
Sent: Wed May 13 17:05:00 2009<br>
Subject: Re: Does OAuth security vulnerability affect OpenID/OAuth hybrid?<br>
<div class="im"><br>
I would expect a decent OP to consider that it goes without saying that checkid_immediate wouldn't have a reasonable OAuth token authorizing scenario and block it. So I agree it's good to call it out in the spec.<br>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br>
<br>
</div><div class="im">On Tue, May 12, 2009 at 10:06 PM, Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a><mailto:<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>>> wrote:<br>
Hi Luke,<br>
<br>
I don't think there's a session fixation issue with Hybrid, but I believe that several individuals raised concerns regarding auto-approval of OAuth tokens using regular OAuth, which is essentially the same thing as checkid_immediate mode in Hybrid.<br>
<br>
Is there really a reason why an RP would need the OAuth token returned in a checkid_immediate response if the user had previously authorized one on an earlier visit?<br>
<br>
Allen<br>
<br>
<br>
Luke Shepard wrote:<br>
(hijacking thread a bit)<br>
<br>
Allen-<br>
<br>
If I understand it correctly, the OAuth security issue doesn't affect the hybrid spec in the same way.<br>
<br>
With the OAuth session fixation vulnerability, the problem comes if the attacker does the following:<br>
<br>
<br>
</div> 1. Request a request token by pretending to request access<br>
2. Force the user to go to a url using that request token<br>
3. Muah! Calculate what the return_to url would have been, and use the pre-known request token to gain access to the user's account info.<br>
<div class="im"><br>
In the OAuth hybrid flow, there is no pre-registered request token; instead, the token is returned, securely, in the URL. It is protected by the fact that OpenID requires the realm to match the return_to, and many providers can require that the Oauth request realm also match the OpenID realm. In this flow, there's no way for the attacker to intercept the request_token before it makes its way back to the correct user.<br>
<br>
Perhaps the problem is more subtle than I understood, but I just want to make sure I'm clear on the issues.<br>
<br>
</div><div class="im">On 5/12/09 9:48 PM, "Allen Tom" <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a><<a href="http://atom" target="_blank">http://atom</a>@<a href="http://yahoo-inc.com" target="_blank">yahoo-inc.com</a>>> wrote:<br>
<br>
Hi Nat,<br>
<br>
Here you go:<br>
<br>
<a href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html" target="_blank">http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html</a><br>
<br>
We might need to revise the spec to not support checkid_immediate for<br>
the Hybrid flow, becuase auto-issuing OAuth access tokens is probably a<br>
bad thing, in light of the recent OAuth security issue.<br>
<br>
Allen<br>
<br>
<br>
<br>
<br>
<br>
Nat Sakimura wrote:<br>
> Hi.<br>
><br>
> Where can I find the most current version of OpenID / OAuth hybrid spec draft?<br>
> I would like to look at it to see if I can borrow as much from the<br>
> draft for what I am thinking right now.<br>
><br>
><br>
<br>
_______________________________________________<br>
specs mailing list<br>
</div><a href="mailto:specs@openid.net">specs@openid.net</a><<a href="http://specs" target="_blank">http://specs</a>@<a href="http://openid.net" target="_blank">openid.net</a>><br>
<div class="im"><a href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
<br>
<br>
<br>
_______________________________________________<br>
specs mailing list<br>
</div><a href="mailto:specs@openid.net">specs@openid.net</a><mailto:<a href="mailto:specs@openid.net">specs@openid.net</a>><br>
<div><div></div><div class="h5"><a href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
<br>
<br>
</div></div></blockquote></div><br>