# OAuth WG Interim Meeting - Security BCP ## Date 12 April, 2021, 12:00pm EDT ## Topic - Security BCP Presenter: Daniel Draft: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ Slides: [Security BCP Slides](https://datatracker.ietf.org/meeting/interim-2021-oauth-05/materials/slides-interim-2021-oauth-05-sessa-slide-deck-00) # Notes Note taker: Dick Hardt Daniel: reviewed changes in latest version (-17), ready for WGLC Filip: AS MUST reject non-https redirect URIs - is this localhost or the loopback address per BCP 212 Daniel: refer to BCP 212 George: I'm worred about custom schemes Daniel: refer to a specific section in BCP 212 Rifaat: any more questions or concerns? (no one) Denis: collusion attack where Alice and Bob are users that are colluding to mount an attack. Supposed to addressed in section 3. The section does not consider client collusion attack. Eg, Bob gets an over 18 token, that is then given to Alice who is not over 18. Daniel: Web attackers can collude per section George: Denis' attack is an attack against bearer tokens. Sender constrainted mechanisms Denis: attack has nothing to do with bearer tokens. If Bob shares private key, Alice can imporsonate Bob. Denis: attacker is not client, the attacker are the parties Daniel: it is a covered in Section 3. A web attacker can operate 2 clients. Rifaat: Dick: identity attacks are not an OAuth probelm Justin: If Bob wants to share his access token, he can also share his private key. The attack described by Denis is equivalnet to Bob calling Alice and asking here what API calls she wants him to make. Denis: 1) Bob is not sharing his private key. He is doing some computation on behalf of Alice. As soon as the RS can related the token to Bob instead of Alice, then the attack will fail. Justin: This is Alice impersonating Bob. It is not Alice pasting Bob's DoB. Denis: there is no way for the access token to know who the access token was given to, then there is no way Justin: if the access token has the "sub" claim that it is Bob's token, then Alice can still impersonate Bob Hannes: seems like there is not a way to mitigate this attack. Daniel: differentiate between attacker model, and what we are trying to achieve. This attack is covered by the attacker model. That does not mean this means that we need to consider this attack or cover how to mitigate as it is out of scope for OAuth. Not something we can defend against, nor is it something that we need to defend against. Hannes: Denis - is this is an attack that you have come across. Denis: Proving you are over 18 without sharing who you are. I have presented a solution and no one was interested. Hannes: I was not aware of this work in ISO. Are you willing to contribute this to OAuth. Denis: this is a general approach and will be discussed in a meeting tomorrow Aaron: thanks for clarifying the use case. Attributes about users is not in scope, and is covered in other work in places such as OpenID Connect. It is not an OAuth problem. Justin: all good points Aaron. This is not describing an attack, it is a limitation of the protocol. Rifaat: capture the use case, but not discuss the solution. Justin: no, this is just how things work. Describe what is obvious, and is the nature of the protocol. Daniel: Justin, I think you are right, it is useful to write down the obvious. I don't think this covers what Denis has on his mind. Justin, Aaron, Dick, and George made good points that this is out of scope. Rifaat: does this address your issue? Denis: no Rifaat: does this collaborative attack belong to the BCP. If you agree, please add +1 to chat. +1 * 1 Rifaat: if you don't agree, please add yourself to chat +1 * 9 Rifaat: Looks like rough consensus to not add this change For WGLC +1 * 11 Against WGLC +1 * 1 Looks like we can move forward with WGLC on the list Hannes: if anyone else can add about implementaions. Please post on the list. Rifaat: close of meeting and thanks Dick for taking notes. :) ## Attendees * Rifaat Shekh-Yusef (chair) * Hannes Tschofenig (chair) * Daniel Fett (presenter) * Dick Hardt * Filip Skokan (Auth0) * Justin Richer * Aaron Parecki (Okta) * Vittorio Bertocci (Auth0) * Francesca Palombini * Peter Yee (AKAYLA) * Brian Campbell (Ping) * Torsten Lodderstedt * Karsten Meyer zu Selhausen * George Fletcher (Verizon Media Inc.) * Denis Pinkas (DP Security Consulting SAS) * Mike Jones (Microsoft) * Tim Cappalli (Microsoft) ## Recording https://ietf.webex.com/webappng/sites/ietf/recording/9c0038d3ba4349838463a7c2fe8d743f/playback ## Next Interim Meetings * April 19 Identity Use Cases in Browser Catalog – Vittorio/George https://datatracker.ietf.org/doc/draft-bertocci-identity-in-browser/ * April 26 TMI BFF – Vittorio/Brian https://datatracker.ietf.org/doc/draft-bertocci-oauth2-tmi-bff/[](https://) * May 3 OAuth 2.1 - Aaron https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/