Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

Hi Johan, thanks for your proposal. I’m not sure whether it should go to 3.7.1.4. The reason audience restriction turns up as a subsection of 3.7 is our document is organized by attacks instead of security controls. I could image to add a section on audience/action restriction as sub section of

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

Thank you Travis for your feedback! Am 20.03.18 um 12:48 schrieb Travis Spencer: > I read through this doc and would like to share a bit of feedback in > hopes that it helps: > > * There is no mention of Content Security Policy (CSP). This is a very > helpful security mechanism that all OAuth serv

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

On Wed, Mar 21, 2018 at 8:34 PM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > The AS MUST take precautions to prevent this threat. > Based on its risk assessment the AS needs to decide whether > it can trust the redirect URI or not and should only automatically > redirect the user agent

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

I like the new text, it frames the error better and puts it in the context where it’s likely to be exploited. IE, newly dynamically registered clients shouldn’t be trusted as much as others. — Justin > On Mar 22, 2018, at 8:16 AM, Brian Campbell > wrote: > > That works for me > > On Wed, M

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

That works for me On Wed, Mar 21, 2018 at 7:34 PM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > Hi all, > > thanks for your feedback. Here is my text proposal for section 3.8.1. > > —— > > Attackers could try to utilize a user's trust in the authorization >server (and its URL in pa

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

Hi all, thanks for your feedback. Here is my text proposal for section 3.8.1. —— Attackers could try to utilize a user's trust in the authorization server (and its URL in particular) for performing phishing attacks. RFC 6749 already prevents open redirects by stating the AS MUST NOT automa

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

On Wed, Mar 21, 2018 at 8:36 AM, Brian Campbell wrote: > Doing redirection in error conditions relates to OpenID Connect flows too. Also Mobile Connect. Those folks will be very upset by this change, I'm sure. ___ OAuth mailing list OAuth@ietf.org http

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

Doing redirection in error conditions relates to OpenID Connect flows too. There's been some related discussion recently about it in this issue: https://bitbucket.org/openid/connect/issues/1023/clarify- that-returning-errors-to-the On Tue, Mar 20, 2018 at 7:38 PM, Brian Campbell wrote: > The str

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

If you plan on adding these web layer security suggestions into the OAuth standard I can think of 100-200 more requirements to add. I thought “do web security right” was an implied recommendation? -- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805 > On Mar 20, 2018, at 5:37 AM, B

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

The strict redirect_uri matching, referrer-policy headers, and appending a dummy fragment on error redirects are things that protect from token leakage/interception resulting from redirection on error, which is the threat in section 2.2 of -closing-redirectors-00

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

Hi Brian, > Am 20.03.2018 um 15:37 schrieb Brian Campbell : > > +1 to what Travis said about 3.8.1 > > The text in 3.8 about Open Redirection is new in this most recent -05 version > of the draft so this is really the first time it's been reviewed. I believe > 3.8..1 goes too far in saying "th

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

+1 to what Travis said about 3.8.1 The text in 3.8 about Open Redirection is new in this most recent -05 version of the draft so this is really the first time it's been reviewed. I believe 3.8.1 goes too far in saying "this draft recommends that every invalid authorization request MUST NOT automat

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

I read through this doc and would like to share a bit of feedback in hopes that it helps: * There is no mention of Content Security Policy (CSP). This is a very helpful security mechanism that all OAuth servers and web-based clients should implement. I think this needs to be addressed in this doc.

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

Hi Torsten, As we briefly spoke about earlier, "3.8.1. Authorization Server as Open Redirector" could I think be made more explicit. Currently it explicitly mentions the invalid_request and invalid_scope errors must not redirect back to the client's registered redirect uri. https://tools.ietf.

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

Hi all, The new revision contains the following changes: Completed sections on code leakage via referrer header, attacks in browser, mix-up, and CSRF Reworked Code Injection Section Added reference to OpenID Connect spec removed refresh token leakage as respective considerations have been given

[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Security Best Current Practice Authors : Torsten Lodderstedt Jo