OAuth 2.0 Mix-Up Mitigation
draft-ietf-oauth-mix-up-mitigation-00

The information below is for an old version of the document
Document Type Active Internet-Draft (oauth WG)
Last updated 2016-03-20
Replaces draft-jones-oauth-mix-up-mitigation
Stream IETF
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream WG state WG Document (wg milestone: Jul 2017 - Submit 'OAuth 2.0 Mi... )
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
OAuth Working Group                                             M. Jones
Internet-Draft                                                 Microsoft
Intended status: Standards Track                              J. Bradley
Expires: September 19, 2016                                Ping Identity
                                                             N. Sakimura
                                                                     NRI
                                                          March 18, 2016

                      OAuth 2.0 Mix-Up Mitigation
                 draft-ietf-oauth-mix-up-mitigation-00

Abstract

   This specification defines an extension to The OAuth 2.0
   Authorization Framework that enables the authorization server to
   dynamically provide the client using it with additional information
   about the current protocol interaction that can be validated by the
   client and that enables the client to dynamically provide the
   authorization server with additional information about the current
   protocol interaction that can be validated by the authorization
   server.  This additional information can be used by the client and
   the authorization server to prevent classes of attacks in which the
   client might otherwise be tricked into using inconsistent sets of
   metadata from multiple authorization servers, including potentially
   using a token endpoint that does not belong to the same authorization
   server as the authorization endpoint used.  Recent research
   publications refer to these as "IdP Mix-Up" and "Malicious Endpoint"
   attacks.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 19, 2016.

Copyright Notice

Jones, et al.          Expires September 19, 2016               [Page 1]
Internet-Draft         OAuth 2.0 Mix-Up Mitigation            March 2016

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Requirements Notation and Conventions  . . . . . . . . . .  4
     1.2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  The OAuth Issuer . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Mitigation Data Returned in Authorization Response . . . . . .  5
     3.1.  Mitigation Data Returned in Authorization Response
           Parameters . . . . . . . . . . . . . . . . . . . . . . . .  5
       3.1.1.  Example Authorization Response using Response
               Parameters . . . . . . . . . . . . . . . . . . . . . .  5
     3.2.  Mitigation Data Returned in JWT  . . . . . . . . . . . . .  6
       3.2.1.  Example Authorization Response using JWT . . . . . . .  6
   4.  Validating the Authorization Response  . . . . . . . . . . . .  7
   5.  Mitigation Data Sent to the Token Endpoint . . . . . . . . . .  8
     5.1.  Example Token Request  . . . . . . . . . . . . . . . . . .  8
   6.  Validating the Token Request . . . . . . . . . . . . . . . . .  9
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
     7.1.  IdP Mix-Up and Malicious Endpoint Attacks  . . . . . . . .  9
     7.2.  Duplicate Information Attacks  . . . . . . . . . . . . . .  9
     7.3.  Cut-and-Paste Attacks  . . . . . . . . . . . . . . . . . . 10
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
     8.1.  OAuth Parameters Registration  . . . . . . . . . . . . . . 11
       8.1.1.  Registry Contents  . . . . . . . . . . . . . . . . . . 11
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 11
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 12
   Appendix A.  Implementation Notes  . . . . . . . . . . . . . . . . 13
Show full document text