Ietf 90 oauth wg
Download
1 / 5

OAuth Symmetric Proof of Possession for Code Extension - PowerPoint PPT Presentation


  • 252 Views
  • Uploaded on

IETF 90 OAuth WG. Nat Sakimura Nomura Research Institute, Ltd. . OAuth Symmetric Proof of Possession for Code Extension. draft-sakimura-oauth-tcse-03. 2014/7/24. Problem Statement. Code interception attack (against public clients)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' OAuth Symmetric Proof of Possession for Code Extension' - asa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ietf 90 oauth wg

IETF 90 OAuth WG

Nat Sakimura

Nomura Research Institute, Ltd.

OAuth Symmetric Proof of Possession for Code Extension

draft-sakimura-oauth-tcse-03

2014/7/24


Problem statement
Problem Statement

  • Code interception attack (against public clients)

    • A malicious client gets the code instead of the client via registering the same scheme as the client, etc.

The problem is not theoretical.

A v. large provider has been experiencing it.

attacker

Authz Server

client

6. token

5. Token request

(w/o client secret)

1. Authz req.

4. code

3. code

Browser

2. Authz req.


Solution
Solution

  • Have the client create a one-time-credential and send it with the Authz req.

    • Based on the assumption that attacker cannot observe the request.

0. Make code_verifier

and code_challenge

attacker

Authz Server

client

6. fail

5. Token request

w/o code verifier

Authz req.

w/ code_challenge

4. code

3. code

Browser

2. Authz req.

w/ code_challenge


FAQ

  • Why does it not use asymmetric crypto?

    • We first proposed it but was turned down by the developers.

  • Why not require HMAC at least?

    • It is a good idea to do so in the environment in which the request can be monitored/captured by other apps.

    • We ran the idea to the app developers but it was not popular.


Draft is short and has been pretty stable
Draft is short and has been pretty stable

  • Only 8 pages including boilerplates.

  • Has been very stable.

  • The concept has been battle tested.

  • Adopt it as a WG item and finish it quickly?


ad