Internet DRAFT - draft-fett-oauth-ivar
draft-fett-oauth-ivar
Web Authorization Protocol D. Fett
Internet-Draft yes.com
Intended status: Standards Track J. Bradley
Expires: January 24, 2020 Yubico
July 23, 2019
OAuth 2.0 Integrity Verification for Authorization Requests (IVAR)
draft-fett-oauth-ivar-00
Abstract
This document describes a mechanism for the integrity protection of
OAuth 2.0 authorization requests.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 24, 2020.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Fett & Bradley Expires January 24, 2020 [Page 1]
Internet-Draft oauth-ivar July 2019
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3
2. Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Client Metadata for IVAR . . . . . . . . . . . . . . . . . . 3
4. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1. Storing the Authorization Request . . . . . . . . . . . . 4
4.2. IVAR Verification . . . . . . . . . . . . . . . . . . . . 4
5. Fallback if JavaScript is unavailable . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 5
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
8.1. Normative References . . . . . . . . . . . . . . . . . . 5
8.2. Informative References . . . . . . . . . . . . . . . . . 6
Appendix A. Document History . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
A number of attacks on OAuth 2.0 are based on the fact that the
contents of the OAuth authorization request lack integrity and
authenticity protection. To launch an attack, an attacker might, for
example, start an OAuth flow in his browser, use the authorization
request URI created by the client, and send it to its victim (with or
without manipulations). The victim might then complete the
authorization. Since the attacker knows or has manipulated parts of
the authorization request URI, certain security mechanisms in OAuth
might then not work as expected --- undermining the security of OAuth
or protocols based on OAuth, like OpenID Connect.
Among others, the following attacks are facilitated by the lack of
integrity and authenticity of the authorization request:
o Attacks on the redirection URI, in which an attacker manipulates
the redirection URI and let it point either to a server controlled
by the attacker or an endpoint at the client which discloses
contents of the authorization response to the attacker.
o The PKCE Chosen Challenge Attack, described in [arXiv.1901.11520],
wherein an attacker uses his access to the authorization response
(see attacker model A3 in [I-D.ietf-oauth-security-topics]) to
gain access to the user's resources.
o A variant of the AS Mix-Up attack in which a malicious AS
redirects the user to an honest AS, re-using request parameters.
(See [arXiv.1601.01229] for details.)
Fett & Bradley Expires January 24, 2020 [Page 2]
Internet-Draft oauth-ivar July 2019
While TLS protects the integrity of the authorization request, these
attacks leverage the fact that an attacker can make a victim's
browser visit arbitrary URIs, including those manipulated by the
attacker or obtained by the attacker from one of his own interactions
with the client.
This document describes IVAR, a mechanism for the verification of the
integrity and origin of the contents of the authorization request.
1.1. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This specification uses the terms "access token", "refresh token",
"authorization server", "resource server", "authorization endpoint",
"authorization request", "authorization response", "token endpoint",
"grant type", "access token request", "access token response", and
"client" defined by The OAuth 2.0 Authorization Framework [RFC6749].
2. Concept
On a high level, IVAR works as follows: When the client starts a new
OAuth authorization flow, it stores the whole authorization URI (or a
hash thereof) in the web storage of the resource owner's browser
under the client's origin. When the AS received the authorization
request, it opens an iframe from a URI the client registered with the
AS beforehand. To this "checking" iframe, the AS sends a cross-
document message (postMessage) containing the whole authorization
request URI as received by the AS. If the URI matches the one stored
by the client earlier, the client responds with a message "ok". If
not, the AS aborts the transaction.
3. Client Metadata for IVAR
Clients that support IVAR register the following metadata parameter
in the OAuth 2.0 Dynamic Client Registration Protocol [RFC7591]:
"ivar_uri". The content MUST be an https URI from which the checking
iframe is loaded by the AS.
Fett & Bradley Expires January 24, 2020 [Page 3]
Internet-Draft oauth-ivar July 2019
4. Protocol
The steps of the IVAR protocol are defined in the following.
4.1. Storing the Authorization Request
Before the client redirects the resource owner's browser to the
authorization server, the client stores information about the full
redirection URI (including query parameters) in the web storage
[WebStorage] of the resource owner's browser. It is at the client's
discretion to store either the full URI or a hash value of the URI.
The data MUST be stored such that it is only accessible to the
client's origin. Its contents MUST NOT be modifiable or readable by
any other origin.
Since multiple OAuth flows may happen in the same browser at the same
time, the storage mechanism MUST be able to store multiple entries in
parallel.
4.2. IVAR Verification
After receiving the authorization request, the AS opens the client's
"ivar_uri" in an iframe in its web site. (The client is identified
using the "client_id" parameter.) The IVAR iframe script from the
client sends a postMessage with the content "ready" to its parent
iframe.
The AS then sends a postMessage containing the full authorization
request URI to the iframe. It is important that the AS limits the
intended receiver of this message to the origin of the "ivar_uri" to
avoid leaking contents of the authorization request URI to an
attacker.
The client's script in the iframe then checks if an exact match of
the authorization request URI sent by the AS can be found in the list
of stored authorization request URIs. If so, it checks that the
postMessage containing the URI was received from the origin of the
authorization request URI. It then sends the string "ok" in a
postMessage to its parent window. It is again important that the
intended receiver of this postMessage is set to the authorization
request's origin.
The AS ensures that the string "ok" is received in a postMessage
originating from the IVAR iframe and the correct origin (from the
"ivar_uri"). Only then it continues with the authorization flow.
Fett & Bradley Expires January 24, 2020 [Page 4]
Internet-Draft oauth-ivar July 2019
If any of these steps fail, the AS MUST abort the authorization flow
and redirect the browser back to the client with an error value of
"ivar_fail".
5. Fallback if JavaScript is unavailable
If the resource owner's browser does not support JavaScript, or
JavaScript is disabled, the client cannot store the redirection URI.
Likewise, the AS cannot run its part of the IVAR protocol. The AS
may skip the IVAR checks if, and only if, it detects that the
resource owner's browser does not have JavaScript enabled (which is
required for IVAR). The respective check for JavaScript support MUST
NOT be open to influence by an attacker.
An attacker cannot usually disable JavaScript in a user's browser for
an origin other than his own. The attacker might, however, trick the
uesr's browser into treating the IVAR checking script on the AS's
origin as part of a cross-site scripting attack and thus disabling
the affected JavaScript. To achieve this, the attacker can add the
text representation of the respective JavaScript in a (new) URI
parameter. Some browser's cross-site scripting auditing engines
string match URI parameters inputs with contents in the source code
of the web page. If a match is found, the respective JavaScript is
disabled.
To avoid disabling of the IVAR checking script by an attacker, AS
MUST disable browser-based detection of cross-site scripting using
the non-standardized header "X-XSS-Protection: 0" or by sufficiently
randomizing the source code of the IVAR checking script.
6. Security Considerations
7. IANA Considerations
8. References
8.1. Normative References
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012,
<https://www.rfc-editor.org/info/rfc6749>.
[RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and
P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol",
RFC 7591, DOI 10.17487/RFC7591, July 2015,
<https://www.rfc-editor.org/info/rfc7591>.
Fett & Bradley Expires January 24, 2020 [Page 5]
Internet-Draft oauth-ivar July 2019
8.2. Informative References
[arXiv.1601.01229]
Fett, D., Kuesters, R., and G. Schmitz, "A Comprehensive
Formal Security Analysis of OAuth 2.0", January 2016,
<http://arxiv.org/abs/1601.01229/>.
[arXiv.1901.11520]
Fett, D., Hosseyni, P., and R. Kuesters, "An Extensive
Formal Security Analysis of the OpenID Financial-grade
API", January 2019, <http://arxiv.org/abs/1901.11520/>.
[I-D.ietf-oauth-security-topics]
Lodderstedt, T., Bradley, J., Labunets, A., and D. Fett,
"OAuth 2.0 Security Best Current Practice", draft-ietf-
oauth-security-topics-13 (work in progress), July 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[WebStorage]
Hickson, I., "Web Storage (Second Edition) - W3C
Recommendation 19 April 2016", Apr 2016,
<https://www.w3.org/TR/webstorage/>.
Appendix A. Document History
[[ To be removed from the final specification ]]
-00
o first draft
Authors' Addresses
Daniel Fett
yes.com
Email: mail@danielfett.de
Fett & Bradley Expires January 24, 2020 [Page 6]
Internet-Draft oauth-ivar July 2019
John Bradley
Yubico
Email: ve7jtb@ve7jtb.com
Fett & Bradley Expires January 24, 2020 [Page 7]