On 12/11/2018 15:31, Michael Richardson wrote:
> Management of the authz-info resource: * The authz-info resource is
> vulnerable to DoS attacks: clients may (with or without intention) send
> large numbers of access tokens to RS. A constrained RS may soon run out
> of memory/storage space if it needs to store large numbers of
This seems like a really serious issue, and it seems that we need
an additional RTT to really fix it.
Note Steffi's words were: "store large numbers of tokens".
In order to have the RS store a large number of tokens, an attacker
would need to have a large number of valid tokens for starters (since
invalid tokens are not stored but discarded).
Furthermore, since the RS checks whether the audience of a token
applies, and can safely discard tokens that do not have a matching
audience the attacker would need to have a large number of tokens that
all match an audience that this RS identifies with.
Finally we just learned at IETF 103 that OAuth typically does not use
multiple, simultaneous access tokens for the same pair of client-RS.
Thus if the token has a subject (sub claim) or some other binding to the
client, the RS can safely discard all older tokens bound to the same client.
Therefore I propose that an attack that induces the RS to store a large
number of tokens is quite hard to pull of.
Even so, lets still assume it would be possible, there is this part in
the spec:
==========================
5.8.1. The Authorization Information Endpoint
....
The RS MUST be prepared to store at least one access token for future
use.
....
==========================
This means that the RS can limit the total number of tokens it stores
for future use based on its memory and storage space, as long as it
stores at least one (in total, not per client).
Thus I'm curious what additional protections you would suggest are
feasible and necessary for the authz-info endpoint?
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace