Ietf 90 oauth wg
Download
1 / 5

OAuth Symmetric Proof of Possession for Code Extension - PowerPoint PPT Presentation


  • 252 Views
  • Uploaded on

IETF 90 OAuth WG. Nat Sakimura Nomura Research Institute, Ltd. . OAuth Symmetric Proof of Possession for Code Extension. draft-sakimura-oauth-tcse-03. 2014/7/24. Problem Statement. Code interception attack (against public clients)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'OAuth Symmetric Proof of Possession for Code Extension' - asa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ietf 90 oauth wg

IETF 90 OAuth WG

Nat Sakimura

Nomura Research Institute, Ltd.

OAuth Symmetric Proof of Possession for Code Extension

draft-sakimura-oauth-tcse-03

2014/7/24


Problem statement
Problem Statement

  • Code interception attack (against public clients)

    • A malicious client gets the code instead of the client via registering the same scheme as the client, etc.

The problem is not theoretical.

A v. large provider has been experiencing it.

attacker

Authz Server

client

6. token

5. Token request

(w/o client secret)

1. Authz req.

4. code

3. code

Browser

2. Authz req.


Solution
Solution

  • Have the client create a one-time-credential and send it with the Authz req.

    • Based on the assumption that attacker cannot observe the request.

0. Make code_verifier

and code_challenge

attacker

Authz Server

client

6. fail

5. Token request

w/o code verifier

Authz req.

w/ code_challenge

4. code

3. code

Browser

2. Authz req.

w/ code_challenge


Oauth symmetric proof of possession for code extension
FAQ

  • Why does it not use asymmetric crypto?

    • We first proposed it but was turned down by the developers.

  • Why not require HMAC at least?

    • It is a good idea to do so in the environment in which the request can be monitored/captured by other apps.

    • We ran the idea to the app developers but it was not popular.


Draft is short and has been pretty stable
Draft is short and has been pretty stable

  • Only 8 pages including boilerplates.

  • Has been very stable.

  • The concept has been battle tested.

  • Adopt it as a WG item and finish it quickly?