ietf 90 oauth wg
Download
Skip this Video
Download Presentation
OAuth Symmetric Proof of Possession for Code Extension

Loading in 2 Seconds...

play fullscreen
1 / 5

OAuth Symmetric Proof of Possession for Code Extension - PowerPoint PPT Presentation


  • 252 Views
  • Uploaded on

IETF 90 OAuth WG. Nat Sakimura Nomura Research Institute, Ltd. . OAuth Symmetric Proof of Possession for Code Extension. draft-sakimura-oauth-tcse-03. 2014/7/24. Problem Statement. Code interception attack (against public clients)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' OAuth Symmetric Proof of Possession for Code Extension' - asa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ietf 90 oauth wg
IETF 90 OAuth WG

Nat Sakimura

Nomura Research Institute, Ltd.

OAuth Symmetric Proof of Possession for Code Extension

draft-sakimura-oauth-tcse-03

2014/7/24

problem statement
Problem Statement
  • Code interception attack (against public clients)
    • A malicious client gets the code instead of the client via registering the same scheme as the client, etc.

The problem is not theoretical.

A v. large provider has been experiencing it.

attacker

Authz Server

client

6. token

5. Token request

(w/o client secret)

1. Authz req.

4. code

3. code

Browser

2. Authz req.

solution
Solution
  • Have the client create a one-time-credential and send it with the Authz req.
    • Based on the assumption that attacker cannot observe the request.

0. Make code_verifier

and code_challenge

attacker

Authz Server

client

6. fail

5. Token request

w/o code verifier

Authz req.

w/ code_challenge

4. code

3. code

Browser

2. Authz req.

w/ code_challenge

slide4
FAQ
  • Why does it not use asymmetric crypto?
    • We first proposed it but was turned down by the developers.
  • Why not require HMAC at least?
    • It is a good idea to do so in the environment in which the request can be monitored/captured by other apps.
    • We ran the idea to the app developers but it was not popular.
draft is short and has been pretty stable
Draft is short and has been pretty stable
  • Only 8 pages including boilerplates.
  • Has been very stable.
  • The concept has been battle tested.
  • Adopt it as a WG item and finish it quickly?
ad