Minutes interim-2021-oauth-05: Mon 12:00
minutes-interim-2021-oauth-05-202104121200-00
| Meeting Minutes | Web Authorization Protocol (oauth) WG | |
|---|---|---|
| Date and time | 2021-04-12 16:00 | |
| Title | Minutes interim-2021-oauth-05: Mon 12:00 | |
| State | Active | |
| Other versions | markdown | |
| Last updated | 2021-04-12 |
OAuth WG Interim Meeting - Security BCP
Date
12 April, 2021, 12:00pm EDT
Topic - Security BCP
Presenter: Daniel
Draft: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
Slides: Security BCP Slides
Notes
Note taker: Dick Hardt
Daniel: reviewed changes in latest version (-17), ready for WGLC
Filip: AS MUST reject non-https redirect URIs - is this localhost or the loopback address per BCP 212
Daniel: refer to BCP 212
George: I'm worred about custom schemes
Daniel: refer to a specific section in BCP 212
Rifaat: any more questions or concerns?
(no one)
Denis: collusion attack where Alice and Bob are users that are colluding to mount an attack. Supposed to addressed in section 3. The section does not consider client collusion attack. Eg, Bob gets an over 18 token, that is then given to Alice who is not over 18.
Daniel: Web attackers can collude per section
George: Denis' attack is an attack against bearer tokens. Sender constrainted mechanisms
Denis: attack has nothing to do with bearer tokens. If Bob shares private key, Alice can imporsonate Bob.
Denis: attacker is not client, the attacker are the parties
Daniel: it is a covered in Section 3. A web attacker can operate 2 clients.
Rifaat:
Dick: identity attacks are not an OAuth probelm
Justin: If Bob wants to share his access token, he can also share his private key. The attack described by Denis is equivalnet to Bob calling Alice and asking here what API calls she wants him to make.
Denis: 1) Bob is not sharing his private key. He is doing some computation on behalf of Alice.
As soon as the RS can related the token to Bob instead of Alice, then the attack will fail.
Justin: This is Alice impersonating Bob. It is not Alice pasting Bob's DoB.
Denis: there is no way for the access token to know who the access token was given to, then there is no way
Justin: if the access token has the "sub" claim that it is Bob's token, then Alice can still impersonate Bob
Hannes: seems like there is not a way to mitigate this attack.
Daniel: differentiate between attacker model, and what we are trying to achieve. This attack is covered by the attacker model. That does not mean this means that we need to consider this attack or cover how to mitigate as it is out of scope for OAuth. Not something we can defend against, nor is it something that we need to defend against.
Hannes: Denis - is this is an attack that you have come across.
Denis: Proving you are over 18 without sharing who you are. I have presented a solution and no one was interested.
Hannes: I was not aware of this work in ISO. Are you willing to contribute this to OAuth.
Denis: this is a general approach and will be discussed in a meeting tomorrow
Aaron: thanks for clarifying the use case. Attributes about users is not in scope, and is covered in other work in places such as OpenID Connect. It is not an OAuth problem.
Justin: all good points Aaron. This is not describing an attack, it is a limitation of the protocol.
Rifaat: capture the use case, but not discuss the solution.
Justin: no, this is just how things work. Describe what is obvious, and is the nature of the protocol.
Daniel: Justin, I think you are right, it is useful to write down the obvious. I don't think this covers what Denis has on his mind. Justin, Aaron, Dick, and George made good points that this is out of scope.
Rifaat: does this address your issue?
Denis: no
Rifaat: does this collaborative attack belong to the BCP. If you agree, please add +1 to chat.
+1 * 1
Rifaat: if you don't agree, please add yourself to chat
+1 * 9
Rifaat: Looks like rough consensus to not add this change
For WGLC
+1 * 11
Against WGLC
+1 * 1
Looks like we can move forward with WGLC on the list
Hannes: if anyone else can add about implementaions. Please post on the list.
Rifaat: close of meeting and thanks Dick for taking notes. :)
Attendees
- Rifaat Shekh-Yusef (chair)
- Hannes Tschofenig (chair)
- Daniel Fett (presenter)
- Dick Hardt
- Filip Skokan (Auth0)
- Justin Richer
- Aaron Parecki (Okta)
- Vittorio Bertocci (Auth0)
- Francesca Palombini
- Peter Yee (AKAYLA)
- Brian Campbell (Ping)
- Torsten Lodderstedt
- Karsten Meyer zu Selhausen
- George Fletcher (Verizon Media Inc.)
- Denis Pinkas (DP Security Consulting SAS)
- Mike Jones (Microsoft)
- Tim Cappalli (Microsoft)
Recording
https://ietf.webex.com/webappng/sites/ietf/recording/9c0038d3ba4349838463a7c2fe8d743f/playback
Next Interim Meetings
-
April 19
Identity Use Cases in Browser Catalog – Vittorio/George
https://datatracker.ietf.org/doc/draft-bertocci-identity-in-browser/ -
April 26
TMI BFF – Vittorio/Brian
https://datatracker.ietf.org/doc/draft-bertocci-oauth2-tmi-bff/ -
May 3
OAuth 2.1 - Aaron
https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/