Luke, do you mean some kind of OAuth access token renewal process over checkid_immediate? Sounds interesting, although if renewal was mandated by the OP I would expect it to be so the user could explicitly validate the RP should still be authorized. Otherwise why not just issue a longer-lasting token in the first place? -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Wed, May 13, 2009 at 5:13 PM, Luke Shepard <[email protected]> wrote: > As I suggested, an OP may want to give an updated session via > checkid-immediate. Facebook Connect does this, and it seems like a legit use > case to me. > > ________________________________ > From: Andrew Arnott <[email protected]> > To: Allen Tom <[email protected]> > Cc: Luke Shepard; OpenID Specs Mailing List <[email protected]> > Sent: Wed May 13 17:05:00 2009 > Subject: Re: Does OAuth security vulnerability affect OpenID/OAuth hybrid? > > I would expect a decent OP to consider that it goes without saying that > checkid_immediate wouldn't have a reasonable OAuth token authorizing > scenario and block it. So I agree it's good to call it out in the spec. > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > > On Tue, May 12, 2009 at 10:06 PM, Allen Tom <[email protected]<mailto: > [email protected]>> wrote: > Hi Luke, > > I don't think there's a session fixation issue with Hybrid, but I believe > that several individuals raised concerns regarding auto-approval of OAuth > tokens using regular OAuth, which is essentially the same thing as > checkid_immediate mode in Hybrid. > > Is there really a reason why an RP would need the OAuth token returned in a > checkid_immediate response if the user had previously authorized one on an > earlier visit? > > Allen > > > Luke Shepard wrote: > (hijacking thread a bit) > > Allen- > > If I understand it correctly, the OAuth security issue doesn't affect the > hybrid spec in the same way. > > With the OAuth session fixation vulnerability, the problem comes if the > attacker does the following: > > > 1. Request a request token by pretending to request access > 2. Force the user to go to a url using that request token > 3. Muah! Calculate what the return_to url would have been, and use the > pre-known request token to gain access to the user's account info. > > In the OAuth hybrid flow, there is no pre-registered request token; > instead, the token is returned, securely, in the URL. It is protected by the > fact that OpenID requires the realm to match the return_to, and many > providers can require that the Oauth request realm also match the OpenID > realm. In this flow, there's no way for the attacker to intercept the > request_token before it makes its way back to the correct user. > > Perhaps the problem is more subtle than I understood, but I just want to > make sure I'm clear on the issues. > > On 5/12/09 9:48 PM, "Allen Tom" <[email protected]<http://atom@ > yahoo-inc.com>> wrote: > > Hi Nat, > > Here you go: > > > http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html > > We might need to revise the spec to not support checkid_immediate for > the Hybrid flow, becuase auto-issuing OAuth access tokens is probably a > bad thing, in light of the recent OAuth security issue. > > Allen > > > > > > Nat Sakimura wrote: > > Hi. > > > > Where can I find the most current version of OpenID / OAuth hybrid spec > draft? > > I would like to look at it to see if I can borrow as much from the > > draft for what I am thinking right now. > > > > > > _______________________________________________ > specs mailing list > [email protected]<http://[email protected]> > http://openid.net/mailman/listinfo/specs > > > > _______________________________________________ > specs mailing list > [email protected]<mailto:[email protected]> > http://openid.net/mailman/listinfo/specs > > >
_______________________________________________ specs mailing list [email protected] http://openid.net/mailman/listinfo/specs
