1 / 5

OAuth Symmetric Proof of Possession for Code Extension

IETF 90 OAuth WG. Nat Sakimura Nomura Research Institute, Ltd. . OAuth Symmetric Proof of Possession for Code Extension. draft-sakimura-oauth-tcse-03. 2014/7/24. Problem Statement. Code interception attack (against public clients)

asa
Download Presentation

OAuth Symmetric Proof of Possession for Code Extension

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IETF 90 OAuth WG Nat Sakimura Nomura Research Institute, Ltd. OAuth Symmetric Proof of Possession for Code Extension draft-sakimura-oauth-tcse-03 2014/7/24

  2. Problem Statement • Code interception attack (against public clients) • A malicious client gets the code instead of the client via registering the same scheme as the client, etc. The problem is not theoretical. A v. large provider has been experiencing it. attacker Authz Server client 6. token 5. Token request (w/o client secret) 1. Authz req. 4. code 3. code Browser 2. Authz req.

  3. Solution • Have the client create a one-time-credential and send it with the Authz req. • Based on the assumption that attacker cannot observe the request. 0. Make code_verifier and code_challenge attacker Authz Server client 6. fail 5. Token request w/o code verifier Authz req. w/ code_challenge 4. code 3. code Browser 2. Authz req. w/ code_challenge

  4. FAQ • Why does it not use asymmetric crypto? • We first proposed it but was turned down by the developers. • Why not require HMAC at least? • It is a good idea to do so in the environment in which the request can be monitored/captured by other apps. • We ran the idea to the app developers but it was not popular.

  5. Draft is short and has been pretty stable • Only 8 pages including boilerplates. • Has been very stable. • The concept has been battle tested. • Adopt it as a WG item and finish it quickly?

More Related