Op 2025-12-08 om 09:58 schreef Pieter Kasselman:
The text already addresses the "neighbouring country" problem with IP
addresses, so I'll leave that as is.
I think places like Svalbard and Antarctica are different from
neighboring countries, because they can have countries that don't share
any border operating in the same place. I have no idea how that impacts
IP geolocation though, and I don't think either place has a large
population, so it might not be worth worrying about.
Thinking about it more, this feels like something that's probably out of
scope for this document, but maybe should be handled elsewhere by
something that lists as many limitations of IP geolocation as possible.
Regarding the whiteboard example, in theory access could be limited to
displaying files, but displaying files also requires access to them and
assumes a level of fine-grained access control that is not typically
implemented. Access is often granted at the directory or repository
level (or repositories), not on a per-file basis. The degree of access
is dictated by the Acccess Token and and it is not unheard of that the
token obtained from such a flow would give much broader access than just
allowing files to be displayed (overprivileged tokens are often used in
lateral moves for example). Consequently relying on the scope of access
as a mitigation to allow for the use of Device Authorization Grant is
problematic.
In terms of protocols, both CIBA and Device Authorization grant are
exploitable in the context of cross-device flows. Of the two, Device
Authorization Grant has proven to be more easily and commonly exploited.
The attack you describe in the context of CIBA is possible, but it is
much more specific and narrowly scoped compared to all the attacks that
become posssible if a system use Device Authorization Grant instead.
Device Authorization Grant opens up different and more commonly
exploited attacks.
In general CIBA is harder to exploit than Device Authorization Grant. In
the context of the attack you describe, it raises the bar for the
attackerĀ regarding timing and the scale of execution (targeting one vs
targeting millions simultaneously) compared to the attacks against the
Device Authorization Grant. Sometimes the best we can do is to raise the
bar and choose the options that are harder to exploit. I have come to
think of these trade-offs as "lesser of evils" exercises... FIDO with
WebAuthn is your safest bet if you need cross-device authentication and
authorization.
Makes sense. I think CIBA's security could be improved by showing the
same code on both devices and telling the user to compare them, but
maybe all the use cases that would benefit from that should just use
FIDO instead.
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
