Re: [OAUTH-WG] OAuth Bearer Token draft

[Mike Jones]

Several people have asked for this parameter name to be changed to 
oauth2_token.  If a change is made, it would seem to me that that would be the 
logical name to use.

Is anyone strongly opposed to making this change?

                                                            -- Mike

From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of 
George Fletcher
Sent: Thursday, March 10, 2011 4:28 PM
To: Phil Hunt
Cc: OAuth WG
Subject: Re: [OAUTH-WG] OAuth Bearer Token draft

I'm not crazy about the compromise either, but it's not possible for a site 
using JSONP and it's cross-domain tricks to set the Authorization header out of 
the browser or POST the data out of the browser in a cross-domain way (due to 
the same origin browser policy).

Quoting Eran from a previous message

JSON-P is one valid example (though JSON-P usage is in decline with new methods 
for cross-domain calls)
I do agree we need to give the url parameter a different name than oauth_token.

Thanks,
George

On 3/10/11 5:31 PM, Phil Hunt wrote:

In theory yes, sometimes a token has limited scope. But since a token will 
often have unlimited scope, it carries the same potential for risk.



I would say one-time use tokens (e.g. grant codes) are really the only things 
that should be passed by URL.



Note that if the client was able to obtain a token from a token server, then it 
must have been previously been able to send data as headers or forms to obtain 
a token. So why can't it pass the authorization token using the HTTP 
Authorization header?  I'm missing what the problem is here that leads to 
needing this security compromise.



Phil

phil.h...@oracle.com<mailto:phil.h...@oracle.com>









On 2011-03-10, at 1:43 PM, Torsten Lodderstedt wrote:



I would assume refresh token exposure to be less dangerous than the leakage of 
uid/password since a refresh tokens is restricted to a scope.



regards,

Torsten.



Am 10.03.2011 20:22, schrieb Phil Hunt:

I think I was confused because of the use of the term "credential" rather than 
token.



If you are calling the token service end-point then it is a big issue. E.g. 
exposing a refresh token would be as bad as a uid/pwd since it is long-lived.



For a resource server, I agree, the risk is lower.



Phil

phil.hunt@oracle.comer<mailto:phil.hunt@oracle.comer>









On 2011-03-10, at 11:17 AM, Richer, Justin P. wrote:



Nobody said UID and password -- we're talking about tokens here. The cost of a 
leaked temporary token (even a straight bearer token) is much, much lower.



-- Justin

________________________________________

From: Phil Hunt [phil.h...@oracle.com<mailto:phil.h...@oracle.com>]

Sent: Thursday, March 10, 2011 2:01 PM

To: Richer, Justin P.

Cc: Eran Hammer-Lahav; OAuth WG

Subject: Re: [OAUTH-WG] OAuth Bearer Token draft



Well, for one if you promote this, it becomes general technique. Now you have 
uid/passwords in browser history etc potentially accessible to javascript and 
could be leaked/hacked in any number of ways.



Also, I would say that credentials are a higher risk item then say a specific 
API call. Why? because credentials are used universally and so the exposure is 
much higher. That said, it is still possible that application data can just as 
costly to expose. Another reason to use secure forms over URLs.



Phil

phil.h...@oracle.com<mailto:phil.h...@oracle.com>









On 2011-03-10, at 10:37 AM, Richer, Justin P. wrote:



1) Yes. And don't discount ease-of-use for developers. If I'm already sending 
my parameters over the query, this becomes another parameter and is really easy 
to manage.

2) Yes, for parallelism to #1, when using a POST.

3) The idea of a parameter registry for this part is absurd, and the parameter 
should be kept simple. I do think that it needs to be named something other 
than "oauth_token".



I'm happy with discouraging the use of 1 and 2 with discussion in the security 
considerations, but I think that if we don't specify this behavior and discuss 
it, then people are going to do it anyway and we run more risk of things going 
wrong. Simply ignoring the issue in the spec (by remaining silent about it) 
will not make it go away.



Since all formats are optional, couldn't an AS/PR setup that wants to just lock 
things down and require auth headers for their particular setup? If in two 
years nobody deploys it anymore, then let's deprecate it from the spec and 
never speak of this again.



-- Justin



________________________________________

From: Eran Hammer-Lahav [e...@hueniverse.com<mailto:e...@hueniverse.com>]

Sent: Thursday, March 10, 2011 1:29 PM

To: Phil Hunt; Richer, Justin P.

Cc: OAuth WG

Subject: RE: [OAUTH-WG] OAuth Bearer Token draft



There are a few issues to consider.



1. Should the spec support sending bearer token in a query parameter?



- The argument that there are many use cases for this is unproven. JSON-P is 
one valid example (though JSON-P usage is in decline with new methods for 
cross-domain calls), but so far the only one given.

- I think at this point we have to include this functionality and the only 
potential open issue is if we want to rename it to something other than 
oauth_token.

- Including this functionality doesn't mean we should encourage it, and the way 
to deal with that is to mark this as 'deprecated'.



2. Should the spec support sending authentication parameters in the body?



- I don't have any use cases where this is required. If the client can perform 
a POST with a body, it should be able to set the header. Where is this an issue?



3. Should the oauth_token parameter be defined as part of an extensible 
framework for adding parameters to protected resources endpoint?



- This was the original issue raised and so far no one has provided any use 
cases for this. We just need to make sure we pick the right parameter name for 
oauth_token and clearly state that it is not the right way to send tokens. 
There should not be any more such parameters in the protected resource 
namespace.



EHL





-----Original Message-----

From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org> 
[mailto:oauth-boun...@ietf.org] On Behalf

Of Phil Hunt

Sent: Thursday, March 10, 2011 10:15 AM

To: Richer, Justin P.

Cc: OAuth WG

Subject: Re: [OAUTH-WG] OAuth Bearer Token draft



-1.  It is a BAD security practice to pass credentials in URLs. Avoid it.



Phil

phil.h...@oracle.com<mailto:phil.h...@oracle.com>









On 2011-03-10, at 10:07 AM, Richer, Justin P. wrote:



Ah, here we run into the classic argument of usability vs. security, in which

usability will win every single time in practice. If we don't define at least a

reasonable way to do this within the scope of OAuth, that's not going to stop

people from doing it. It's just going to make people do it in a million 
different

ways, each with their own unique problems that nobody's thought of. At

least this way, we can enable it and have a real discussion about the security

considerations. There are valid and valuable places where putting credentials

in the URL is a reasonable security tradeoff. Not everything functions over

the public internet as well, and the security considerations are different in

these other environments.

In short: yes, it's necessary and good to do this.



-- Justin

________________________________________

From: William J. Mills [wmi...@yahoo-inc.com<mailto:wmi...@yahoo-inc.com>]

Sent: Thursday, March 10, 2011 12:59 PM

To: Richer, Justin P.; Lukas Rosenstock

Cc: Brian Eaton; OAuth WG

Subject: Re: [OAUTH-WG] OAuth Bearer Token draft



Yeah, but there are serious security problems with credentials in the URL, is

it really worth it in light of those problems?

________________________________

From: "Richer, Justin P."<jric...@mitre.org><mailto:jric...@mitre.org>

To: Lukas 
Rosenstock<l...@lukasrosenstock.net><mailto:l...@lukasrosenstock.net>; William 
J. Mills

<wmi...@yahoo-inc.com><mailto:wmi...@yahoo-inc.com>

Cc: Brian Eaton<bea...@google.com><mailto:bea...@google.com>; OAuth 
WG<oauth@ietf.org><mailto:oauth@ietf.org>

Sent: Thursday, March 10, 2011 9:49 AM

Subject: RE: [OAUTH-WG] OAuth Bearer Token draft



Yes, there are many development setups where all you can reasonably

access is the URL to get. It's also much simpler to make use of the well-

supported syntax helpers for query parameters instead of relying on new,

custom formatting for newly-defined headers. The bearer token makes this

simple by just having the value of the token, but other schemes have their

own name/value pair formats and encodings that will inevitably cause

hiccups.

-- Justin

________________________________________

From: Lukas Rosenstock

[l...@lukasrosenstock.net<mailto:l...@lukasrosenstock.net><mailto:l...@lukasrosenstock.net><mailto:l...@lukasrosenstock.net>]

Sent: Thursday, March 10, 2011 11:49 AM

To: William J. Mills

Cc: Brian Eaton; Richer, Justin P.; OAuth WG

Subject: Re: [OAUTH-WG] OAuth Bearer Token draft



JSON-P (callback) works with<script>  tags where no parameters can be

set; this is used a lot in web applications that want to consume 3rd party APIs

directly on the client side. So, yes, an alternative for the Authorization

header is required - a.f.a.i.k this use case was one of the driving forces

behind WRAP and bearer tokens.

2011/3/9 William J. 
Mills<wmi...@yahoo-inc.com<mailto:wmi...@yahoo-inc.com><mailto:wmills@yahoo-

inc.com><mailto:wmi...@yahoo-inc.com<mailto:wmi...@yahoo-inc.com><mailto:wmi...@yahoo-inc.com>>>

Is there really a need going forward for anything beyond using the

Authorization header?  Do we have clients out there that just can't set that

header?  Putting bearer tokens in query arguments is a very bad idea for

many reasons, and in form variables has it's own set of badness (although

not to the same level).

-bill







_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth





--

Chief Architect                   AIM:  gffletch

Identity Services Engineering     Work: 
george.fletc...@teamaol.com<mailto:george.fletc...@teamaol.com>

AOL Inc.                          Home: 
gffle...@aol.com<mailto:gffle...@aol.com>

Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com

Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth