idnits 2.17.1 

draft-ietf-oauth-security-topics-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** There is 1 instance of too long lines in the document, the longest one
     being 4 characters in excess of 72.

  == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
     document.

  == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (September 10, 2017) is 2420 days in the past.  Is
     this intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Best Current Practice
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Downref: Normative reference to an Informational RFC: RFC 6819

  ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110)

  == Outdated reference: A later version (-09) exists of
     draft-bradley-oauth-jwt-encoded-state-07

  == Outdated reference: A later version (-10) exists of
     draft-ietf-oauth-discovery-07

  == Outdated reference: A later version (-17) exists of
     draft-ietf-oauth-mtls-03

  == Outdated reference: A later version (-07) exists of
     draft-ietf-oauth-pop-key-distribution-03

  == Outdated reference: A later version (-08) exists of
     draft-ietf-oauth-token-binding-04

  == Outdated reference: A later version (-18) exists of
     draft-ietf-tokbind-https-10

  == Outdated reference: A later version (-05) exists of
     draft-sakimura-oauth-jpop-04


     Summary: 3 errors (**), 0 flaws (~~), 10 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Open Authentication Protocol                         T. Lodderstedt, Ed.
3	Internet-Draft                                             YES Europe AG
4	Intended status: Best Current Practice                        J. Bradley
5	Expires: March 14, 2018                                           Yubico
6	                                                             A. Labunets
7	                                                                Facebook
8	                                                      September 10, 2017

10	                         OAuth Security Topics
11	                  draft-ietf-oauth-security-topics-03

13	Abstract

15	   This draft gives a comprehensive overview on open OAuth security
16	   topics.  It is intended to serve as a working document for the OAuth
17	   working group to systematically capture and discuss these security
18	   topics and respective mitigations and eventually recommend best
19	   current practice and also OAuth extensions needed to cope with the
20	   respective security threats.

22	Status of This Memo

24	   This Internet-Draft is submitted in full conformance with the
25	   provisions of BCP 78 and BCP 79.

27	   Internet-Drafts are working documents of the Internet Engineering
28	   Task Force (IETF).  Note that other groups may also distribute
29	   working documents as Internet-Drafts.  The list of current Internet-
30	   Drafts is at https://datatracker.ietf.org/drafts/current/.

32	   Internet-Drafts are draft documents valid for a maximum of six months
33	   and may be updated, replaced, or obsoleted by other documents at any
34	   time.  It is inappropriate to use Internet-Drafts as reference
35	   material or to cite them other than as "work in progress."

37	   This Internet-Draft will expire on March 14, 2018.

39	Copyright Notice

41	   Copyright (c) 2017 IETF Trust and the persons identified as the
42	   document authors.  All rights reserved.

44	   This document is subject to BCP 78 and the IETF Trust's Legal
45	   Provisions Relating to IETF Documents
46	   (https://trustee.ietf.org/license-info) in effect on the date of
47	   publication of this document.  Please review these documents
48	   carefully, as they describe your rights and restrictions with respect
49	   to this document.  Code Components extracted from this document must
50	   include Simplified BSD License text as described in Section 4.e of
51	   the Trust Legal Provisions and are provided without warranty as
52	   described in the Simplified BSD License.

54	Table of Contents

56	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
57	   2.  Recommended Best Practice . . . . . . . . . . . . . . . . . .   4
58	     2.1.  Protecting redirect-based flows . . . . . . . . . . . . .   4
59	     2.2.  TBD . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
60	   3.  Recommended modifications and extensions to OAuth . . . . . .   5
61	   4.  OAuth Credentials Leakage . . . . . . . . . . . . . . . . . .   5
62	     4.1.  Insufficient redirect URI validation  . . . . . . . . . .   5
63	       4.1.1.  Attacks on Authorization Code Grant . . . . . . . . .   6
64	       4.1.2.  Attacks on Implicit Grant . . . . . . . . . . . . . .   7
65	       4.1.3.  Proposed Countermeasures  . . . . . . . . . . . . . .   8
66	     4.2.  Authorization code leakage via referrer headers . . . . .  10
67	       4.2.1.  Proposed Countermeasures  . . . . . . . . . . . . . .  10
68	     4.3.  Attacks in the Browser  . . . . . . . . . . . . . . . . .  10
69	       4.3.1.  Code in browser history (TBD) . . . . . . . . . . . .  11
70	       4.3.2.  Access token in browser history (TBD) . . . . . . . .  11
71	       4.3.3.  Javascript Code stealing Access Tokens (TBD)  . . . .  11
72	     4.4.  Access Token Leakage at the Resource Server . . . . . . .  11
73	       4.4.1.  Access Token Phishing by Counterfeit Resource Server   11
74	         4.4.1.1.  Metadata  . . . . . . . . . . . . . . . . . . . .  12
75	         4.4.1.2.  Sender Constrained Access Tokens  . . . . . . . .  13
76	         4.4.1.3.  Audience Restricted Access Tokens . . . . . . . .  15
77	       4.4.2.  Compromised Resource Server . . . . . . . . . . . . .  16
78	       4.4.3.  TLS Terminating Reverse Proxies . . . . . . . . . . .  17
79	     4.5.  Mix-Up  . . . . . . . . . . . . . . . . . . . . . . . . .  18
80	     4.6.  Refresh Token Leakage . . . . . . . . . . . . . . . . . .  18
81	   5.  OAuth Credentials Injection . . . . . . . . . . . . . . . . .  19
82	     5.1.  Code Injection  . . . . . . . . . . . . . . . . . . . . .  19
83	       5.1.1.  Proposed Countermeasures  . . . . . . . . . . . . . .  21
84	     5.2.  Access Token Injection (TBD)  . . . . . . . . . . . . . .  22
85	     5.3.  XSRF (TBD)  . . . . . . . . . . . . . . . . . . . . . . .  23
86	   6.  Other Attacks . . . . . . . . . . . . . . . . . . . . . . . .  23
87	   7.  Other Topics  . . . . . . . . . . . . . . . . . . . . . . . .  23
88	   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  24
89	   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  24
90	   10. Security Considerations . . . . . . . . . . . . . . . . . . .  24
91	   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  24
92	     11.1.  Normative References . . . . . . . . . . . . . . . . . .  24
93	     11.2.  Informative References . . . . . . . . . . . . . . . . .  25
94	   Appendix A.  Document History . . . . . . . . . . . . . . . . . .  26
95	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  27

97	1.  Introduction

99	   It's been a while since OAuth has been published in RFC 6749
100	   [RFC6749] and RFC 6750 [RFC6750].  Since publication, OAuth 2.0 has
101	   gotten massive traction in the market and became the standard for API
102	   protection and, as foundation of OpenID Connect, identity providing.
103	   While OAuth was used in a variety of scenarios and different kinds of
104	   deployments, the following challenges could be observed:

106	   o  OAuth implementations are being attacked through known
107	      implementation weaknesses and anti-patterns (XSRF, referrer
108	      header).  Although most of these threats are discussed in RFC 6819
109	      [RFC6819], continued exploitation demonstrates there may be a need
110	      for more specific recommendations or that the existing mitigations
111	      are too difficult to deploy.

113	   o  Technology has changed, e.g. the way browsers treat fragments in
114	      some situations, which may change the implicit grant's underlying
115	      security model.

117	   o  OAuth is used in much more dynamic setups than originally
118	      anticipated, creating new challenges with respect to security.
119	      Those challenges go beyond the original scope of RFC 6749
120	      [RFC6749], RFC 6750 [RFC6749], and RFC 6819 [RFC6819].

122	   OAuth initially assumed a static relationship between client,
123	   authorization server and resource servers.  The URLs of AS and RS
124	   were known to the client at deployment time and built an anchor for
125	   the trust relationsship among those parties.  The validation whether
126	   the client talks to a legitimate server was based on TLS server
127	   authentication (see [RFC6819], Section 4.5.4).  With the increasing
128	   adoption of OAuth, this simple model dissolved and, in several
129	   scenarios, was replaced by a dynamic establishment of the
130	   relationship between clients on one side and the authorization and
131	   resource servers of a particular deployment on the other side.  This
132	   way the same client could be used to access services of different
133	   providers (in case of standard APIs, such as e-Mail or OpenID
134	   Connect) or serves as a frontend to a particular tenant in a multi-
135	   tenancy.  Extensions of OAuth, such as [RFC7591] and
136	   [I-D.ietf-oauth-discovery] were developed in order to support the
137	   usage of OAuth in dynamic scenarios.  As a challenge to the
138	   community, such usage scenarios open up new attack angles, which are
139	   discussed in this document.

141	   The remainder of the document is organized as follows: The next
142	   section gives a summary of the set of security mechanisms and
143	   practices, the working group shall consider to recommend to OAuth
144	   implementers.  This is followed by a section proposing modifications
145	   to OAuth intended to either simplify its usage and to strengthen its
146	   security.

148	   The remainder of the draft gives a detailed analyses of the
149	   weaknesses and implementation issues, which can be found in the wild
150	   today along with a discussion of potential counter measures.  First,
151	   various scenarios how OAuth credentials (namely access tokens and
152	   authorization codes) may be disclosed to attackers and proposes
153	   countermeasures are discussed.  Afterwards, the document discusses
154	   attacks possible with captured credential and how they may be
155	   prevented.  The last sections discuss additional threats.

157	2.  Recommended Best Practice

159	   This section describes the set of security mechanisms the authors
160	   believe should be taken into consideration by the OAuth working group
161	   to be recommended to OAuth implementers.

163	2.1.  Protecting redirect-based flows

165	   Authorization servers shall utilize exact matching of client redirect
166	   URIs against pre-registered URIs.  This measure contributes to the
167	   prevention of leakage of authorization codes and access tokens
168	   (depending on the grant type).  It also helps to detect mix up
169	   attacks.

171	   Clients shall avoid any redirects or forwards, which can be
172	   parameterized by URI query parameters, in order to provide a further
173	   layer of defence against token leakage.  If there is a need for this
174	   kind of redirects, clients are advised to implement appropriate
175	   counter measures against open redirection, e.g. as described by the
176	   OWASP [owasp].

178	   Clients shall ensure to only process redirect responses of the OAuth
179	   authorization server they send the respective request to and in the
180	   same user agent this request was initiated in.  In particular,
181	   clients shall implement appropriate XSRF prevention by utilizing one-
182	   time use XSRF tokens carried in the STATE parameter, which are
183	   securely bound to the user agent.  Moreover, the client shall store
184	   the authorization server's identity it sends an authorization request
185	   to in a transaction-specific manner, which is also bound to the
186	   particular user agent.  Furthermore, clients should use AS-specific
187	   redirect URIs as a means to identify the AS a particular response
188	   came from.  Matching this with the before mentioned information
189	   regarding the AS the client sent the request to helps to detect mix-
190	   up attacks.

192	   Note: [I-D.bradley-oauth-jwt-encoded-state] gives advice on how to
193	   implement XSRF prevention and AS matching using signed JWTs in the
194	   STATE parameter.

196	   Clients shall use PKCE [RFC7636] in order to (with the help of the
197	   authorization server) detect attempts to inject authorization codes
198	   into the authorization response.  The PKCE challenges must be
199	   transaction-specific and securely bound to the user agent, in which
200	   the transaction was started.

202	   Note: although PKCE so far was recommended as mechanism to protect
203	   native apps, this advice applies to all kinds of OAuth clients,
204	   including web applications.

206	2.2.  TBD

208	   Add further topics:

210	   o  Access Token Leakage at resource servers

212	3.  Recommended modifications and extensions to OAuth

214	   This section describes the set of modifications and extensions the
215	   authors believe should be taken into consideration by the OAuth
216	   working group change and extend OAuth in order to strengthen its
217	   security and make it simpler to implement.  It also recommends some
218	   changes to the OAuth set of specs.

220	   Remove requirement to check actual redirect URI at token endpoint -
221	   seems to be complicated to implement properly and could be
222	   compromised.  The protection goal is achieved even more effective by
223	   utilizing PKCE as recommended in Section 2.1.

225	4.  OAuth Credentials Leakage

227	   This section describes a couple of different ways how OAuth
228	   credentials, namely authorization codes and access tokens, can be
229	   exposed to attackers.

231	4.1.  Insufficient redirect URI validation

233	   Some authorization servers allow clients to register redirect URI
234	   patterns instead of complete redirect URIs.  In those cases, the
235	   authorization server, at runtime, matches the actual redirect URI
236	   parameter value at the authorization endpoint against this pattern.
237	   This approach allows clients to encode transaction state into
238	   additional redirect URI parameters or to register just a single
239	   pattern for multiple redirect URIs.  As a downside, it turned out to
240	   be more complex to implement and error prone to manage than exact
241	   redirect URI matching.  Several successful attacks have been observed
242	   in the wild, which utilized flaws in the pattern matching
243	   implementation or concrete configurations.  Such a flaw effectively
244	   breaks client identification or authentication (depending on grant
245	   and client type) and allows the attacker to obtain an authorization
246	   code or access token, either:

248	   o  by directly sending the user agent to a URI under the attackers
249	      control or

251	   o  by exposing the OAuth credentials to an attacker by utilizing an
252	      open redirector at the client in conjunction with the way user
253	      agents handle URL fragments.

255	4.1.1.  Attacks on Authorization Code Grant

257	   For a public client using the grant type code, an attack would look
258	   as follows:

260	   Let's assume the redirect URL pattern "https://*.example.com/*" had
261	   been registered for the client "s6BhdRkqt3".  This pattern allows
262	   redirect URIs from any host residing in the domain example.com.  So
263	   if an attacker manager to establish a host or subdomain in
264	   "example.com" he can impersonate the legitimate client.  Assume the
265	   attacker sets up the host "evil.example.com".

267	   (1)  The attacker needs to trick the user into opening a tampered URL
268	        in his browser, which launches a page under the attacker's
269	        control, say "https://www.evil.com".

271	   (2)  This URL initiates an authorization request with the client id
272	        of a legitimate client to the authorization endpoint.  This is
273	        the example authorization request (line breaks are for display
274	        purposes only):

276	   GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
277	     &redirect_uri=https%3A%2F%2Fevil.example.com%2Fcb HTTP/1.1
278	   Host: server.example.com

280	   (1)  The authorization validates the redirect URI in order to
281	        identify the client.  Since the pattern allows arbitrary domains
282	        host names in "example.com", the authorization request is
283	        processed under the legitimate client's identity.  This includes
284	        the way the request for user consent is presented to the user.
285	        If auto-approval is allowed (which is not recommended for public
286	        clients according to RFC 6749), the attack can be performed even
287	        easier.

289	   (2)  If the user does not recognize the attack, the code is issued
290	        and directly sent to the attacker's client.

292	   (3)  Since the attacker impersonated a public client, it can directly
293	        exchange the code for tokens at the respective token endpoint.

295	   Note: This attack will not directly work for confidential clients,
296	   since the code exchange requires authentication with the legitimate
297	   client's secret.  The attacker will need to utilize the legitimate
298	   client to redeem the code (e.g. by mounting a code injection attack).
299	   This and other kinds of injections are covered in
300	   Section OAuth Credentials Injection.

302	4.1.2.  Attacks on Implicit Grant

304	   The attack described above works for the implicit grant as well.  If
305	   the attacker is able to send the authorization response to a URI
306	   under his control, he will directly get access to the fragment
307	   carrying the access token.

309	   Additionally, implicit clients can be subject to a further kind of
310	   attacks.  It utilizes the fact that user agents re-attach fragments
311	   to the destination URL of a redirect if the location header does not
312	   contain a fragment (see [RFC7231], section 9.5).  The attack
313	   described here combines this behavior with the client as an open
314	   redirector in order to get access to access tokens.  This allows
315	   circumvention even of strict redirect URI patterns (but not strict
316	   URL matching!).

318	   Assume the pattern for client "s6BhdRkqt3" is
319	   "https://client.example.com/cb?*", i.e. any parameter is allowed for
320	   redirects to "https://client.example.com/cb".  Unfortunately, the
321	   client exposes an open redirector.  This endpoint supports a
322	   parameter "redirect_to", which takes a target URL and will send the
323	   browser to this URL using a HTTP 302.

325	   (1)  Same as above, the attacker needs to trick the user into opening
326	        a tampered URL in his browser, which launches a page under the
327	        attacker's control, say "https://www.evil.com".

329	   (2)  The URL initiates an authorization request, which is very
330	        similar to the attack on the code flow.  As differences, it
331	        utilizes the open redirector by encoding
332	        "redirect_to=https://client.evil.com" into the redirect URI and
333	        it uses the response type "token" (line breaks are for display
334	        purposes only):

336	   GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz
337	     &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb%26redirect_to
338	     %253Dhttps%253A%252F%252Fclient.evil.com%252Fcb HTTP/1.1
339	   Host: server.example.com

341	   (1)  Since the redirect URI matches the registered pattern, the
342	        authorization server allows the request and sends the resulting
343	        access token with a 302 redirect (some response parameters are
344	        omitted for better readability)

346	   HTTP/1.1 302 Found
347	     Location: https://client.example.com/cb?
348	     redirect_to%3Dhttps%3A%2F%2Fclient.evil.com%2Fcb
349	     #access_token=2YotnFZFEjr1zCsicMWpAA&...

351	   (2)  At the example.com, the request arrives at the open redirector.
352	        It will read the redirect parameter and will issue a HTTP 302 to
353	        the URL "https://evil.example.com/cb".

355	   HTTP/1.1 302 Found
356	        Location: https://client.evil.com/cb

358	   (3)  Since the redirector at example.com does not include a fragment
359	        in the Location header, the user agent will re-attach the
360	        original fragment
361	        "#access_token=2YotnFZFEjr1zCsicMWpAA&..." to the URL and will
362	        navigate to the following URL:

364	   https://client.evil.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA&...

366	   (4)  The attacker's page at client.evil.com can access the fragment
367	        and obtain the access token.

369	4.1.3.  Proposed Countermeasures

371	   The complexity of implementing and managing pattern matching
372	   correctly obviously causes security issues.  This document therefore
373	   proposes to simplify the required logic and configuration by using
374	   exact redirect URI matching only.  This means the authorization
375	   server shall compare the two URIs using simple string comparison as
376	   defined in [RFC3986], Section 6.2.1..

378	   This would cause the following impacts:

380	   o  This change will require all OAuth clients to maintain the
381	      transaction state (and XSRF tokens) in the "state" parameter.
382	      This is a normative change to RFC 6749 since section 3.1.2.2
383	      allows for dynamic URI query parameters in the redirect URI.  In
384	      order to assess the practical impact, the working group needs to
385	      collect data on whether this feature is really used in deployments
386	      today.

388	   o  The working group may also consider this change as a step towards
389	      improved interoperability for OAuth implementations since RFC 6749
390	      is somewhat vague on redirect URI validation.  Notably there are
391	      no rules for pattern matching.  One may therefore assume all
392	      clients utilizing pattern matching will do so in a deployment
393	      specific way.  On the other hand, RFC 6749 already recommends
394	      exact matching if the full URL had been registered.

396	   o  Clients with multiple redirect URIs need to register all of them
397	      explicitly.
398	      Note: clients with just a single redirect URI would not even need
399	      to send a redirect URI with the authorization request.  Does it
400	      make sense to emphasize this option?  Would that further simplify
401	      use of the protocol and foster security?

403	   o  Exact redirect matching does not work for native apps utilizing a
404	      local web server due to dynamic port numbers - at least wild cards
405	      for port numbers are required.
406	      Question: Does redirect uri validation solve any problem for
407	      native apps?  Effective against impersonation when used in
408	      conjunction with claimed HTTPS redirect URIs only.
409	      For Windows token broker exact redirect URI matching is important
410	      as the redirect URI encodes the app identity.  For custom scheme
411	      redirects there is a question however it is probably a useful part
412	      of defense in depth.

414	   Additional recommendations:

416	   o  Servers on which callbacks are hosted must not expose open
417	      redirectors (see respective section).

419	   o  Clients may drop fragments via intermediary URLs with "fix
420	      fragments" (e.g. https://developers.facebook.com/blog/post/552/)
421	      to prevent the user agent from appending any unintended fragments.

423	   Alternatives to exact redirect URI matching:

425	   o  authenticate client using digital signatures (JAR?
426	      https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-09)

428	4.2.  Authorization code leakage via referrer headers

430	   It is possible authorization codes are unintentionally disclosed to
431	   attackers, if a OAuth client renders a page containing links to other
432	   pages (ads, faq, ...) as result of a successful authorization
433	   request.

435	   If the user clicks onto one of those links and the target is under
436	   the control of an attacker, it can get access to the response URL in
437	   the referrer header.

439	   It is also possible that an attacker injects cross-domain content
440	   somehow into the page, such as <img> (f.e. if this is blog web site
441	   etc.): the implication is obviously the same - loading this content
442	   by browser results in leaking referrer with a code.

444	4.2.1.  Proposed Countermeasures

446	   There are some means to prevent leakage as described above:

448	   o  Use of the HTML link attribute rel="noreferrer" (Chrome
449	      52.0.2743.116, FF 49.0.1, Edge 38.14393.0.0, IE/Win10)

451	   o  Use of the "referrer" meta link attribute (possible values e.g.
452	      noreferrer, origin, ...) (cf. https://w3c.github.io/webappsec-
453	      referrer-policy/ - work in progress (seems Google, Chrome and Edge
454	      support it))

456	   o  Redirect to intermediate page (sanitize history) before sending
457	      user agent to other pages
458	      Note: double check redirect/referrer header behavior

460	   o  Use form post mode instead of redirect for authorization response
461	      (don't transport credentials via URL parameters and GET)

463	   Note: There shouldn't be a referer header when loading HTTP content
464	   from a HTTPS -loaded page (e.g. help/faq pages)

466	   Note: This kind of attack is not applicable to the implicit grant
467	   since fragments are not be included in referrer headers (cf.
468	   https://tools.ietf.org/html/rfc7231#section-5.5.2)

470	4.3.  Attacks in the Browser
471	4.3.1.  Code in browser history (TBD)

473	   When browser navigates to "client.com/redirection_endpoint?code=abcd"
474	   as a result of a redirect from a provider's authorization endpoint.

476	   Proposed countermeasures: code is one time use, has limited duration,
477	   is bound to client id/secret (confidential clients only)

479	4.3.2.  Access token in browser history (TBD)

481	   When a client or just a web site which already has a token
482	   deliberately navigates to a page like provider.com/
483	   get_user_profile?access_token=abcdef.. Actually RFC6750 discourages
484	   this practice and asks to transfer tokens via a header, but in
485	   practice web sites often just pass access token in query

487	   When browser navigates to client.com/
488	   redirection_endpoint#access_token=abcef as a result of a redirect
489	   from a provider's authorization endpoint.

491	   Proposal: replace implicit flow with postmessage communication

493	4.3.3.  Javascript Code stealing Access Tokens (TBD)

495	   sandboxing using service workers

497	4.4.  Access Token Leakage at the Resource Server

499	4.4.1.  Access Token Phishing by Counterfeit Resource Server

501	   An attacker may setup his own resource server and trick a client into
502	   sending access tokens to it, which are valid for other resource
503	   servers.  If the client sends a valid access token to this
504	   counterfeit resource server, the attacker in turn may use that token
505	   to access other services on behalf of the resource owner.

507	   This attack assumes the client is not bound to a certain resource
508	   server (and the respective URL) at development time, but client
509	   instances are configured with an resource server's URL at runtime.
510	   This kind of late binding is typical in situations, where the client
511	   uses a standard API, e.g. for e-Mail, calendar, health, or banking
512	   and is configured by an user or administrator for the standard-based
513	   service, this particular user or company uses.

515	   There are several potential mitigation strategies, which will be
516	   discussed in the following sections.

518	4.4.1.1.  Metadata

520	   An authorization server could provide the client with additional
521	   information about the location where it is safe to use its access
522	   tokens.

524	   In the simplest form, this would require the AS to publish a list of
525	   its known resource servers, illustrated in the following example
526	   using a metadata parameter "resource_servers":

528	   HTTP/1.1 200 OK
529	   Content-Type: application/json

531	   {
532	     "issuer":"https://server.example.com",
533	     "authorization_endpoint":"https://server.example.com/authorize",
534	     "resource_servers":[
535	       "email.example.com",
536	       "storage.example.com",
537	       "video.example.com"]
538	     ...
539	   }

541	   The AS could also return the URL(s) an access token is good for in
542	   the token response, illustrated by the example return parameter
543	   "access_token_resource_server":

545	HTTP/1.1 200 OK
546	Content-Type: application/json;charset=UTF-8
547	Cache-Control: no-store
548	Pragma: no-cache

550	{
551	  "access_token":"2YotnFZFEjr1zCsicMWpAA",
552	  "access_token_resource_server":"https://hostedresource.example.com/path1",
553	...
554	}

556	   This mitigation strategy would rely on the client to enforce the
557	   security policy and to only send access tokens to legitimate
558	   destinations.  Results of OAuth related security research (see for
559	   example [oauth_security_ubc] and [oauth_security_cmu]) indicate a
560	   large portion of client implementations do not or fail to properly
561	   implement security controls, like state checks.  So relying on
562	   clients to detect and properly handle access token phishing is likely
563	   to fail as well.  Moreover given the ratio of clients to
564	   authorization and resource servers, it is considered the more viable
565	   approach to move as much as possible security-related logic to those
566	   entities.  Clearly, the client has to contribute to the overall
567	   security.  But there are alternative counter measures, as described
568	   in the next sections, which provide a better balance between the
569	   involved parties.

571	4.4.1.2.  Sender Constrained Access Tokens

573	   As the name suggests, sender constraint access token scope the
574	   applicability of an access token to a certain sender.  This sender is
575	   obliged to demonstrate knowledge of a certain secret as prerequisite
576	   for the acceptance of that token at a resource server.

578	   A typical flow looks like this:

580	   1.  The authorization server associates data with the access token,
581	       which bind this particular token to a certain client.  The
582	       binding can utilize the client identity, but in most cases the AS
583	       utilizes key material (or data derived from the key material)
584	       known to the client.

586	   2.  This key material must be distributed somehow.  Either the key
587	       material already exists before the AS creates the binding or the
588	       AS creates ephemeral keys.  The way pre-existing key material is
589	       distributed varies among the different approaches.  For example,
590	       X.509 Certificates can be used in which case the distribution
591	       happens explicitly during the enrollment process.  Or the key
592	       material is created and distributed at the TLS layer, in which
593	       case it might automatically happens during the setup of a TLS
594	       connection.

596	   3.  The RS must implement the actual proof of possession check.  This
597	       is typically done on the application level, it may utilize
598	       capabilities of the transport layer (e.g.  TLS).  Note: replay
599	       detection is required as well!

601	   There exists several proposals to demonstrate the proof of possession
602	   in the scope of the OAuth working group:

604	   o  [I-D.ietf-oauth-token-binding]: In this approach, an access tokens
605	      is, via the so-called token binding id, bound to key material
606	      representing a long term association between a client and a
607	      certain TLS host.  Negotiation of the key material and proof of
608	      possession in the context of a TLS handshake is taken care of by
609	      the TLS stack.  The client needs to determine the token binding id
610	      of the target resource server and pass this data to the access
611	      token request.  The authorization server than associates the
612	      access token with this id.  The resource server checks on every
613	      invocation that the token binding id of the active TLS connection
614	      and the token binding id of associated with the access token
615	      match.  Since all crypto-related functions are covered by the TLS
616	      stack, this approach is very client developer friendly.  As a
617	      prerequisite, token binding as described in
618	      [I-D.ietf-tokbind-https] (including federated token bindings) must
619	      be supported on all ends (client, authorization server, resource
620	      server).

622	   o  [I-D.ietf-oauth-mtls]: The approach as specified in this document
623	      allow use of mutual TLS for both client authentication and sender
624	      constraint access tokens.  For the purpose of sender constraint
625	      access tokens, the client is identified towards the resource
626	      server by the fingerprint of its public key.  During processing of
627	      an access token request, the authorization server obtains the
628	      client's public key from the TLS stack and associates its
629	      fingerprint with the respective access tokens.  The resource
630	      server in the same way obtains the public key from the TLS stack
631	      and compares its fingerprint with the fingerprint associated with
632	      the access token.

634	   o  [I-D.ietf-oauth-signed-http-request] specifies an approach to sign
635	      HTTP requests.  It utilizes [I-D.ietf-oauth-pop-key-distribution]
636	      and represents the elements of the signature in a JSON object.
637	      The signature is built using JWS.  The mechanism has built-in
638	      support for signing of HTTP method, query parameters and headers.
639	      It also incorporates a timestamp as basis for replay detection.

641	   o  [I-D.sakimura-oauth-jpop]: this draft describes different ways to
642	      constrain access token usage, namely TLS or request signing.
643	      Note: Since the authors of this draft contributed the TLS-related
644	      proposal to [I-D.ietf-oauth-mtls], this document only considers
645	      the request signing part.  For request signing, the draft utilizes
646	      [I-D.ietf-oauth-pop-key-distribution] and RFC 7800 [RFC7800].  The
647	      signature data is represented in a JWT and JWS is used for
648	      signing.  Replay detection is provided by building the signature
649	      over a server-provided nonce, client-provided nonce and a nonce
650	      counter.

652	   [I-D.ietf-oauth-mtls] and [I-D.ietf-oauth-token-binding] are built on
653	   top of TLS and this way continue the successful OAuth 2.0 philosophy
654	   to leverage TLS to secure OAuth wherever possible.  Both mechanisms
655	   allow prevention of access token leakage in a fairly client developer
656	   friendly way.

658	   There are some differences between both approaches: To start with, in
659	   [I-D.ietf-oauth-token-binding] all key material is automatically
660	   managed by the TLS stack whereas [I-D.ietf-oauth-mtls] requires the
661	   developer to create and maintain the key pairs and respective
662	   certificates.  Use of self-signed certificates, which is supported by
663	   the draft, significantly reduce the complexity of this task.
664	   Furthermore, [I-D.ietf-oauth-token-binding] allows to use different
665	   key pairs for different resource servers, which is a privacy benefit.
666	   On the other hand, [I-D.ietf-oauth-mtls] only requires widely
667	   deployed TLS features, which means it might be easier to adopt in the
668	   short term.

670	   Application level signing approaches, like
671	   [I-D.ietf-oauth-signed-http-request] and [I-D.sakimura-oauth-jpop]
672	   have been debated for a long time in the OAuth working group without
673	   a clear outcome.

675	   As one advantage, application-level signing allows for end-to-end
676	   protection including non-repudiation even if the TLS connection is
677	   terminated between client and resource server.  But deployment
678	   experiences have revealed challenges regarding robustness (e.g.
679	   reproduction of the signature base string including correct URL) as
680	   well as state management (e.g. replay detection).

682	   This document therefore recommends implementors to consider one of
683	   TLS-based approaches wherever possible.

685	4.4.1.3.  Audience Restricted Access Tokens

687	   An audience restriction essentially restricts the resource server a
688	   particular access token can be used at.  The authorization server
689	   associates the access token with a certain resource server and every
690	   resource server is obliged to verify for every request, whether the
691	   access token send with that request was meant to be used at the
692	   particular resource server.  If not, the resource server must refuse
693	   to serve the respective request.  In the general case, audience
694	   restrictions limit the impact of a token leakage.  In the case of a
695	   counterfeit resource server, it may (as described see below) also
696	   prevent abuse of the phished access token at the legitimate resource
697	   server.

699	   The audience can basically be expressed using logical names or
700	   physical addresses (like URLs).  In order to detect phishing, it is
701	   necessary to use the actual URL the client will send requests to.  In
702	   the phishing case, this URL will point to the counterfeit resource
703	   server.  If the attacker tries to use the access token at the
704	   legitimate resource server (which has a different URL), the resource
705	   server will detect the mismatch (wrong audience) and refuse to serve
706	   the request.

708	   In deployments where the authorization server knows the URLs of all
709	   resource servers, the authorization server may just refuse to issue
710	   access tokens for unknown resource server URLs.

712	   The client needs to tell the authorization server, at which URL it
713	   will use the access token it is requesting.  It could use the
714	   mechanism proposed [I-D.campbell-oauth-resource-indicators] or encode
715	   the information in the scope value.

717	   Instead of the URL, it is also possible to utilize the fingerprint of
718	   the resource server's X.509 certificate as audience value.  This
719	   variant would also allow to detect an attempt to spoof the legit
720	   resource server's URL by using a valid TLS certificate obtained from
721	   a different CA.  It might also be considered a privacy benefit to
722	   hide the resource server URL from the authorization server.

724	   Audience restriction seems easy to use since it does not require any
725	   crypto on the client side.  But since every access token is bound to
726	   a certain resource server, the client also needs to obtain different
727	   RS-specific access tokens, if it wants to access several resource
728	   services.  [I-D.ietf-oauth-token-binding] has the same property,
729	   since different token binding ids must be associated with the access
730	   token.  [I-D.ietf-oauth-mtls] on the other hand allows a client to
731	   use the access token at multiple resource servers.

733	   It shall be noted that audience restrictions, or generally speaking
734	   an indication by the client to the authorization server where it
735	   wants to use the access token, has additional benefits beyond the
736	   scope of token leakage prevention.  It allows the authorization
737	   server to create different access token whose format and content is
738	   specifically minted for the respective server.  This has huge
739	   functional and privacy advantages in deployments using structured
740	   access tokens.

742	4.4.2.  Compromised Resource Server

744	   An attacker may compromise a resource server in order to get access
745	   to its resources and other resources of the respective deployment.
746	   Such a compromise may range from partial access to the system, e.g.
747	   its logfiles, to full control of the respective server.

749	   If the attacker was able to take over full control including shell
750	   access it will be able to circumvent all controls in place and access
751	   resources without access control.  It will also get access to access
752	   tokens, which are sent to the compromised system and which
753	   potentially are valid for access to other resource servers as well.
754	   Even if the attacker "only" is able to access logfiles or databases
755	   of the server system, it may get access to valid access tokens.

757	   Preventing and detecting server breaches by way of hardening and
758	   monitoring server systems is considered a standard operational
759	   procedure and therefore out of scope of this document.  This section
760	   will focus on the impact of such breaches on OAuth-related parts of
761	   the ecosystem, which is the replay of captured access tokens on the
762	   compromised resource server and other resource servers of the
763	   respective deployment.

765	   The following measures shall be taken into account by implementors in
766	   order to cope with access token replay:

768	   o  The resource server must treat access tokens like any other
769	      credentials.  It is considered good practice to not log them and
770	      not to store them in plain text.

772	   o  Sender constraint access tokens as described in Section 4.4.1.2
773	      will prevent the attacker from replaying the access tokens on
774	      other resource servers.  Depending on the severity of the
775	      penetration, it will also prevent replay on the compromised
776	      system.

778	   o  Audience restriction as described in Section 4.4.1.3 may be used
779	      to prevent replay of captured access tokens on other resource
780	      servers.

782	4.4.3.  TLS Terminating Reverse Proxies

784	   A common deployment architecture for HTTP applications is to have the
785	   application server sitting behind a reverse proxy, which terminates
786	   the TLS connection and dispatches the incoming requests to the
787	   respective application server nodes.

789	   This section highlights some attack angles of this deployment
790	   architecture, which are relevant to OAuth, and give recommendations
791	   for security controls.

793	   In some situations, the reverse proxy needs to pass security-related
794	   data to the upstream application servers for further processing.
795	   Examples include the IP address of the request originator, token
796	   binding ids and authenticated TLS client certificates.

798	   If the reverse proxy would pass through any header sent from the
799	   outside, an attacker could try to directly send the faked header
800	   values through the proxy to the application server in order to
801	   circumvent security controls that way.  For example, it is standard
802	   practice of reverse proxies to accept "forwarded_for" headers and
803	   just add the origin of the inbound request (making it a list).
804	   Depending on the logic performed in the application server, the
805	   attacker could simply add a whitelisted IP address to the header and
806	   render a IP whitelist useless.  A reverse proxy must therefore
807	   sanitize any inbound requests to ensure the authenticity and
808	   integrity of all header values relevant for the security of the
809	   application servers.

811	   If an attacker would be able to get access to the internal network
812	   between proxy and application server, it could also try to circumvent
813	   security controls in place.  It is therefore important to ensure the
814	   authenticity of the communicating entities.  Furthermore, the
815	   communication link between reverse proxy and application server must
816	   therefore be protected against tapping and injection (including
817	   replay prevention).

819	4.5.  Mix-Up

821	   Mix-up is another kind of attack on more dynamic OAuth scenarios (or
822	   at least scenarios where a OAuth client interacts with multiple
823	   authorization servers).  The goal of the attack is to obtain an
824	   authorization code or an access token by tricking the client into
825	   sending those credentials to the attacker (which acts as MITM between
826	   client and authorization server)

828	   A detailed description of the attack and potential countermeasures is
829	   given in cf. https://tools.ietf.org/html/draft-ietf-oauth-mix-up-
830	   mitigation-01.

832	   Potential mitigations:

834	   o  AS returns client_id and its iss in the response.  Client compares
835	      this data to AS it believed it sent the user agent to.

837	   o  ID token carries client id and issuer (requires OpenID Connect)

839	   o  Clients use AS-specific redirect URIs, for every authorization
840	      request store intended AS and compare intention with actual
841	      redirect URI where the response was received (no change to OAuth
842	      required)

844	4.6.  Refresh Token Leakage

846	   mitm, log files on the device, ...

848	   refresh token rotation, mutual TLS authentication at the token
849	   endpoint

851	5.  OAuth Credentials Injection

853	   Credential injection means an attacker somehow obtained a valid OAuth
854	   credential (code or token) and is able to utilize this to impersonate
855	   the legitimate resource owner or to cause a victim to access
856	   resources under the attacker's control (XSRF).

858	5.1.  Code Injection

860	   In such an attack, the adversary attempts to inject a stolen
861	   authorization code into a legitimate client on a device under his
862	   control.  In the simplest case, the attacker would want to use the
863	   code in his own client.  But there are situations where this might
864	   not be possible or intended.  Example are:

866	   o  The code is bound to a particular confidential client and the
867	      attacker is unable to obtain the required client credentials to
868	      redeem the code himself and/or

870	   o  The attacker wants to access certain functions in this particular
871	      client.  As an example, the attacker potentially wants to
872	      impersonate his victim in a certain app.

874	   o  Another example could be that access to the authorization and
875	      resource servers is some how limited to networks, the attackers is
876	      unable to access directly.

878	   How does an attack look like?

880	   (1)  The attacker obtains an authorization code by executing any of
881	        the attacks described above (OAuth Credentials Leakage).

883	   (2)  It performs an OAuth authorization process with the legitimate
884	        client on his device.

886	   (3)  The attacker injects the stolen authorization code in the
887	        response of the authorization server to the legitimate client.

889	   (4)  The client sends the code to the authorization server's token
890	        endpoint, along with client id, client secret and actual
891	        redirect_uri.

893	   (5)  The authorization server checks the client secret, whether the
894	        code was issued to the particular client and whether the actual
895	        redirect URI matches the redirect_uri parameter.

897	   (6)  If all checks succeed, the authorization server issues access
898	        and other tokens to the client.

900	   (7)  The attacker just impersonated the victim.

902	   Obviously, the check in step (5) will fail, if the code was issued to
903	   another client id, e.g. a client set up by the attacker.

905	   An attempt to inject a code obtained via a malware pretending to be
906	   the legitimate client should also be detected, if the authorization
907	   server stored the complete redirect URI used in the authorization
908	   request and compares it with the redirect_uri parameter.

910	   [RFC6749], Section 4.1.3, requires the AS to ...  "ensure that the
911	   "redirect_uri" parameter is present if the "redirect_uri" parameter
912	   was included in the initial authorization request as described in
913	   Section 4.1.1, and if included ensure that their values are
914	   identical."  In the attack scenario described above, the legitimate
915	   client would use the correct redirect URI it always uses for
916	   authorization requests.  But this URI would not match the tampered
917	   redirect URI used by the attacker (otherwise, the redirect would not
918	   land at the attackers page).  So the authorization server would
919	   detect the attack and refuse to exchange the code.

921	   Note: this check could also detect attempt to inject a code, which
922	   had been obtained from another instance of the same client on another
923	   device, if certain conditions are fulfilled:

925	   o  the redirect URI itself needs to contain a nonce or another kind
926	      of one-time use, secret data and

928	   o  the client has bound this data to this particular instance

930	   But this approach conflicts with the idea to enforce exact redirect
931	   URI matching at the authorization endpoint.  Moreover, it has been
932	   observed that providers very often ignore the redirect_uri check
933	   requirement at this stage, maybe, because it doesn't seem to be
934	   security-critical from reading the spec.

936	   Other providers just pattern match the redirect_uri parameter against
937	   the registered redirect URI pattern.  This saves the authorization
938	   server from storing the link between the actual redirect URI and the
939	   respective authorization code for every transaction.  But this kind
940	   of check obviously does not fulfill the intent of the spec, since the
941	   tampered redirect URI is not considered.  So any attempt to inject a
942	   code obtained using the client_id of a legitimate client or by
943	   utilizing the legitimate client on another device won't be detected
944	   in the respective deployments.

946	   It is also assumed that the requirements defined in [RFC6749],
947	   Section 4.1.3, increase client implementation complexity as clients
948	   need to memorize or re-construct the correct redirect URI for the
949	   call to the tokens endpoint.

951	   The authors therefore propose to the working group to drop this
952	   feature in favor of more effective and (hopefully) simpler approaches
953	   to code injection prevention as described in the following section.

955	5.1.1.  Proposed Countermeasures

957	   The general proposal is to bind every particular authorization code
958	   to a certain client on a certain device (or in a certain user agent)
959	   in the context of a certain transaction.  There are multiple
960	   technical solutions to achieve this goal:

962	   Nonce   OpenID Connect's existing "nonce" parameter is used for this
963	           purpose.  The nonce value is one time use and created by the
964	           client.  The client is supposed to bind it to the user agent
965	           session and sends it with the initial request to the OpenId
966	           Provider (OP).  The OP associates the nonce to the
967	           authorization code and attests this binding in the ID token,
968	           which is issued as part of the code exchange at the token
969	           endpoint.  If an attacker injected an authorization code in
970	           the authorization response, the nonce value in the client
971	           session and the nonce value in the ID token will not match
972	           and the attack is detected.  assumption: attacker cannot get
973	           hold of the user agent state on the victims device, where he
974	           has stolen the respective authorization code.
975	           pro:
976	           - existing feature, used in the wild
977	           con:
978	           - OAuth does not have an ID Token - would need to push that
979	           down the stack

981	   Code-bound State  It has been discussed in the security workshop in
982	           December to use the OAuth state value much similar in the way
983	           as described above.  In the case of the state value, the idea
984	           is to add a further parameter state to the code exchange
985	           request.  The authorization server then compares the state
986	           value it associated with the code and the state value in the
987	           parameter.  If those values do not match, it is considered an
988	           attack and the request fails.  Note: a variant of this
989	           solution would be send a hash of the state (in order to
990	           prevent bulky requests and DoS).
991	           pro:
992	           - use existing concept
993	           con:
994	           - state needs to fulfil certain requirements (one time use,
995	           complexity)
996	           - new parameter means normative spec change

998	   PKCE    Basically, the PKCE challenge/verifier could be used in the
999	           same way as Nonce or State.  In contrast to its original
1000	           intention, the verifier check would fail although the client
1001	           uses its correct verifier but the code is associated with a
1002	           challenge, which does not match.
1003	           pro:
1004	           - existing and deployed OAuth feature
1005	           con:
1006	           - currently used and recommended for native apps, not web
1007	           apps

1009	   Token Binding  Code must be bind to UA-AS and UA-Client legs -
1010	           requires further data (extension to response) to manifest
1011	           binding id for particular code.
1012	           Note: token binding could be used in conjunction with PKCE as
1013	           an option (https://tools.ietf.org/html/draft-ietf-oauth-
1014	           token-binding-02#section-4).
1015	           pro:
1016	           - highly secure
1017	           con:
1018	           - highly sophisticated, requires browser support, will it
1019	           work for native apps?

1021	   per instance client id/secret  ...

1023	   Note on pre-warmed secrets: An attacker can circumvent the
1024	   countermeasures described above if he is able to create or capture
1025	   the respective secret or code_challenge on a device under his
1026	   control, which is then used in the victim's authorization request.
1027	   Exact redirect URI matching of authorization requests can prevent the
1028	   attacker from using the pre-warmed secret in the faked authorization
1029	   transaction on the victim's device.
1030	   Unfortunately it does not work for all kinds of OAuth clients.  It is
1031	   effective for web and JS apps and for native apps with claimed URLs.
1032	   What about other native apps?  Treat nonce or PKCE challenge as
1033	   replay detection tokens (needs to ensure cluster-wide one-time use)?

1035	5.2.  Access Token Injection (TBD)

1037	   Note: An attacker in possession of an access token can access any
1038	   resources the access token gives him the permission to.  This kind of
1039	   attacks simply illustrates the fact that bearer tokens utilized by
1040	   OAuth are reusable similar to passwords unless they are protected by
1041	   further means.

1043	   (where do we treat access token replay/use at the resource server?
1044	   https://tools.ietf.org/html/rfc6819#section-4.6.4 has some text about
1045	   it but is it sufficient?)

1047	   The attack described in this section is about injecting a stolen
1048	   access token into a legitimate client on a device under the
1049	   adversaries control.  The attacker wants to impersonate a victim and
1050	   cannot use his own client, since he wants to access certain functions
1051	   in this particular client.

1053	   Proposal: token binding, hybrid flow+nonce(OIDC), other
1054	   cryptographical binding between access token and user agent instance

1056	5.3.  XSRF (TBD)

1058	   injection of code or access token on a victim's device (e.g. to cause
1059	   client to access resources under the attacker's control)

1061	   mitigation: XSRF tokens (one time use) w/ user agent binding (cf.
1062	   https://www.owasp.org/index.php/
1063	   CrossSite_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)

1065	6.  Other Attacks

1067	   Using the AS as Open Redirector - error handling AS (redirects)
1068	   (draft-ietf-oauth-closing-redirectors-00)

1070	   Using the Client as Open Redirector

1072	   redirect via status code 307 - use 302

1074	7.  Other Topics

1076	   why to rotate refresh tokens

1078	   how to support multi AS per RS

1080	   differentiate native, JS and web clients

1082	   do not put sensitive data in URL/GET parameters (Jim Manico)

1084	   Incorporate Christian Mainka's feedback

1086	   WPAD attack - https://www.blackhat.com/docs/us-16/materials/us-16-
1087	   Kotler-Crippling-HTTPS-With-Unholy-PAC.pdf

1089	8.  Acknowledgements

1091	   We would like to thank Jim Manico, Phil Hunt, and Brian Campbell for
1092	   their valuable feedback.

1094	9.  IANA Considerations

1096	   This draft includes no request to IANA.

1098	10.  Security Considerations

1100	   All relevant security considerations have been given in the
1101	   functional specification.

1103	11.  References

1105	11.1.  Normative References

1107	   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
1108	              Resource Identifier (URI): Generic Syntax", STD 66,
1109	              RFC 3986, DOI 10.17487/RFC3986, January 2005,
1110	              <https://www.rfc-editor.org/info/rfc3986>.

1112	   [RFC6749]  Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
1113	              RFC 6749, DOI 10.17487/RFC6749, October 2012,
1114	              <https://www.rfc-editor.org/info/rfc6749>.

1116	   [RFC6750]  Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
1117	              Framework: Bearer Token Usage", RFC 6750,
1118	              DOI 10.17487/RFC6750, October 2012,
1119	              <https://www.rfc-editor.org/info/rfc6750>.

1121	   [RFC6819]  Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
1122	              Threat Model and Security Considerations", RFC 6819,
1123	              DOI 10.17487/RFC6819, January 2013,
1124	              <https://www.rfc-editor.org/info/rfc6819>.

1126	   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
1127	              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
1128	              DOI 10.17487/RFC7231, June 2014,
1129	              <https://www.rfc-editor.org/info/rfc7231>.

1131	   [RFC7591]  Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and
1132	              P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol",
1133	              RFC 7591, DOI 10.17487/RFC7591, July 2015,
1134	              <https://www.rfc-editor.org/info/rfc7591>.

1136	11.2.  Informative References

1138	   [I-D.bradley-oauth-jwt-encoded-state]
1139	              Bradley, J., Lodderstedt, T., and H. Zandbelt, "Encoding
1140	              claims in the OAuth 2 state parameter using a JWT", draft-
1141	              bradley-oauth-jwt-encoded-state-07 (work in progress),
1142	              March 2017.

1144	   [I-D.campbell-oauth-resource-indicators]
1145	              Campbell, B., Bradley, J., and H. Tschofenig, "Resource
1146	              Indicators for OAuth 2.0", draft-campbell-oauth-resource-
1147	              indicators-02 (work in progress), November 2016.

1149	   [I-D.ietf-oauth-discovery]
1150	              Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0
1151	              Authorization Server Metadata", draft-ietf-oauth-
1152	              discovery-07 (work in progress), September 2017.

1154	   [I-D.ietf-oauth-mtls]
1155	              Campbell, B., Bradley, J., Sakimura, N., and T.
1156	              Lodderstedt, "Mutual TLS Profile for OAuth 2.0", draft-
1157	              ietf-oauth-mtls-03 (work in progress), July 2017.

1159	   [I-D.ietf-oauth-pop-key-distribution]
1160	              Bradley, J., Hunt, P., Jones, M., and H. Tschofenig,
1161	              "OAuth 2.0 Proof-of-Possession: Authorization Server to
1162	              Client Key Distribution", draft-ietf-oauth-pop-key-
1163	              distribution-03 (work in progress), February 2017.

1165	   [I-D.ietf-oauth-signed-http-request]
1166	              Richer, J., Bradley, J., and H. Tschofenig, "A Method for
1167	              Signing HTTP Requests for OAuth", draft-ietf-oauth-signed-
1168	              http-request-03 (work in progress), August 2016.

1170	   [I-D.ietf-oauth-token-binding]
1171	              Jones, M., Bradley, J., Campbell, B., and W. Denniss,
1172	              "OAuth 2.0 Token Binding", draft-ietf-oauth-token-
1173	              binding-04 (work in progress), July 2017.

1175	   [I-D.ietf-tokbind-https]
1176	              Popov, A., Nystrom, M., Balfanz, D., Langley, A., Harper,
1177	              N., and J. Hodges, "Token Binding over HTTP", draft-ietf-
1178	              tokbind-https-10 (work in progress), July 2017.

1180	   [I-D.sakimura-oauth-jpop]
1181	              Sakimura, N., Li, K., and J. Bradley, "The OAuth 2.0
1182	              Authorization Framework: JWT Pop Token Usage", draft-
1183	              sakimura-oauth-jpop-04 (work in progress), March 2017.

1185	   [oauth_security_cmu]
1186	              Carnegie Mellon University, Carnegie Mellon University,
1187	              Microsoft Research, Carnegie Mellon University, Carnegie
1188	              Mellon University, and Carnegie Mellon University, "OAuth
1189	              Demystified for Mobile Application Developers", November
1190	              2014.

1192	   [oauth_security_ubc]
1193	              University of British Columbia and University of British
1194	              Columbia, "The Devil is in the (Implementation) Details:
1195	              An Empirical Analysis of OAuth SSO Systems", October 2012,
1196	              <http://passwordresearch.com/papers/paper267.html>.

1198	   [owasp]    "Open Web Application Security Project Home Page",
1199	              <https://www.owasp.org/>.

1201	   [RFC7636]  Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key
1202	              for Code Exchange by OAuth Public Clients", RFC 7636,
1203	              DOI 10.17487/RFC7636, September 2015,
1204	              <https://www.rfc-editor.org/info/rfc7636>.

1206	   [RFC7800]  Jones, M., Bradley, J., and H. Tschofenig, "Proof-of-
1207	              Possession Key Semantics for JSON Web Tokens (JWTs)",
1208	              RFC 7800, DOI 10.17487/RFC7800, April 2016,
1209	              <https://www.rfc-editor.org/info/rfc7800>.

1211	Appendix A.  Document History

1213	   [[ To be removed from the final specification ]]

1215	   -03

1217	   o  Added section on Access Token Leakage at Resource Server

1219	   o  incorporated Brian Campbell's findings

1221	   -02

1223	   o  Folded Mix up and Access Token leakage through a bad AS into new
1224	      section for dynamic OAuth threats

1226	   o  reworked dynamic OAuth section

1228	   -01

1230	   o  Added references to mitigation methods for token leakage

1232	   o  Added reference to Token Binding for Authorization Code
1233	   o  incorporated feedback of Phil Hunt

1235	   o  fixed numbering issue in attack descriptions in section 2

1237	   -00 (WG document)

1239	   o  turned the ID into a WG document and a BCP

1241	   o  Added federated app login as topic in Other Topics

1243	Authors' Addresses

1245	   Torsten Lodderstedt (editor)
1246	   YES Europe AG

1248	   Email: torsten@lodderstedt.net

1250	   John Bradley
1251	   Yubico

1253	   Email: ve7jtb@ve7jtb.com

1255	   Andrey Labunets
1256	   Facebook

1258	   Email: isciurus@fb.com