idnits 2.17.1 

draft-ietf-oauth-security-topics-04.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** There is 1 instance of too long lines in the document, the longest one
     being 4 characters in excess of 72.

  == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
     document.

  == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (November 13, 2017) is 2355 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Best Current Practice
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Downref: Normative reference to an Informational RFC: RFC 6819

  ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110)

  == Outdated reference: A later version (-09) exists of
     draft-bradley-oauth-jwt-encoded-state-07

  == Outdated reference: A later version (-10) exists of
     draft-ietf-oauth-discovery-07

  == Outdated reference: A later version (-17) exists of
     draft-ietf-oauth-mtls-05

  == Outdated reference: A later version (-07) exists of
     draft-ietf-oauth-pop-key-distribution-03

  == Outdated reference: A later version (-08) exists of
     draft-ietf-oauth-token-binding-05

  == Outdated reference: A later version (-18) exists of
     draft-ietf-tokbind-https-10

  == Outdated reference: A later version (-05) exists of
     draft-sakimura-oauth-jpop-04


     Summary: 3 errors (**), 0 flaws (~~), 10 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Open Authentication Protocol                         T. Lodderstedt, Ed.
3	Internet-Draft                                                YES.com AG
4	Intended status: Best Current Practice                        J. Bradley
5	Expires: May 17, 2018                                             Yubico
6	                                                             A. Labunets
7	                                                                Facebook
8	                                                       November 13, 2017

10	                         OAuth Security Topics
11	                  draft-ietf-oauth-security-topics-04

13	Abstract

15	   This draft gives a comprehensive overview on open OAuth security
16	   topics.  It is intended to serve as a working document for the OAuth
17	   working group to systematically capture and discuss these security
18	   topics and respective mitigations and eventually recommend best
19	   current practice and also OAuth extensions needed to cope with the
20	   respective security threats.

22	Status of This Memo

24	   This Internet-Draft is submitted in full conformance with the
25	   provisions of BCP 78 and BCP 79.

27	   Internet-Drafts are working documents of the Internet Engineering
28	   Task Force (IETF).  Note that other groups may also distribute
29	   working documents as Internet-Drafts.  The list of current Internet-
30	   Drafts is at https://datatracker.ietf.org/drafts/current/.

32	   Internet-Drafts are draft documents valid for a maximum of six months
33	   and may be updated, replaced, or obsoleted by other documents at any
34	   time.  It is inappropriate to use Internet-Drafts as reference
35	   material or to cite them other than as "work in progress."

37	   This Internet-Draft will expire on May 17, 2018.

39	Copyright Notice

41	   Copyright (c) 2017 IETF Trust and the persons identified as the
42	   document authors.  All rights reserved.

44	   This document is subject to BCP 78 and the IETF Trust's Legal
45	   Provisions Relating to IETF Documents
46	   (https://trustee.ietf.org/license-info) in effect on the date of
47	   publication of this document.  Please review these documents
48	   carefully, as they describe your rights and restrictions with respect
49	   to this document.  Code Components extracted from this document must
50	   include Simplified BSD License text as described in Section 4.e of
51	   the Trust Legal Provisions and are provided without warranty as
52	   described in the Simplified BSD License.

54	Table of Contents

56	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
57	   2.  Best Practices  . . . . . . . . . . . . . . . . . . . . . . .   4
58	     2.1.  Protecting redirect-based flows . . . . . . . . . . . . .   4
59	     2.2.  Token Leakage Prevention  . . . . . . . . . . . . . . . .   5
60	   3.  Recommended Changes to OAuth  . . . . . . . . . . . . . . . .   5
61	   4.  Attacks and Mitigations . . . . . . . . . . . . . . . . . . .   5
62	     4.1.  Insufficient redirect URI validation  . . . . . . . . . .   5
63	       4.1.1.  Attacks on Authorization Code Grant . . . . . . . . .   6
64	       4.1.2.  Attacks on Implicit Grant . . . . . . . . . . . . . .   7
65	       4.1.3.  Proposed Countermeasures  . . . . . . . . . . . . . .   8
66	     4.2.  Authorization code leakage via referrer headers . . . . .   9
67	       4.2.1.  Proposed Countermeasures  . . . . . . . . . . . . . .  10
68	     4.3.  Attacks in the Browser  . . . . . . . . . . . . . . . . .  10
69	       4.3.1.  Code in browser history (TBD) . . . . . . . . . . . .  10
70	       4.3.2.  Access token in browser history (TBD) . . . . . . . .  10
71	       4.3.3.  Javascript Code stealing Access Tokens (TBD)  . . . .  11
72	     4.4.  Mix-Up  . . . . . . . . . . . . . . . . . . . . . . . . .  11
73	     4.5.  Code Injection  . . . . . . . . . . . . . . . . . . . . .  11
74	       4.5.1.  Proposed Countermeasures  . . . . . . . . . . . . . .  13
75	     4.6.  XSRF (TBD)  . . . . . . . . . . . . . . . . . . . . . . .  15
76	     4.7.  Access Token Leakage at the Resource Server . . . . . . .  15
77	       4.7.1.  Access Token Phishing by Counterfeit Resource Server   15
78	         4.7.1.1.  Metadata  . . . . . . . . . . . . . . . . . . . .  16
79	         4.7.1.2.  Sender Constrained Access Tokens  . . . . . . . .  17
80	         4.7.1.3.  Audience Restricted Access Tokens . . . . . . . .  19
81	       4.7.2.  Compromised Resource Server . . . . . . . . . . . . .  20
82	     4.8.  Refresh Token Leakage (TBD) . . . . . . . . . . . . . . .  21
83	     4.9.  Open Redirection (TBD)  . . . . . . . . . . . . . . . . .  21
84	     4.10. TLS Terminating Reverse Proxies . . . . . . . . . . . . .  22
85	     4.11. Other Topics  . . . . . . . . . . . . . . . . . . . . . .  22
86	   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  23
87	   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  23
88	   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  23
89	   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  23
90	     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  23
91	     8.2.  Informative References  . . . . . . . . . . . . . . . . .  24
92	   Appendix A.  Document History . . . . . . . . . . . . . . . . . .  25
93	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  26

95	1.  Introduction

97	   It's been a while since OAuth has been published in RFC 6749
98	   [RFC6749] and RFC 6750 [RFC6750].  Since publication, OAuth 2.0 has
99	   gotten massive traction in the market and became the standard for API
100	   protection and, as foundation of OpenID Connect, identity providing.
101	   While OAuth was used in a variety of scenarios and different kinds of
102	   deployments, the following challenges could be observed:

104	   o  OAuth implementations are being attacked through known
105	      implementation weaknesses and anti-patterns (XSRF, referrer
106	      header).  Although most of these threats are discussed in RFC 6819
107	      [RFC6819], continued exploitation demonstrates there may be a need
108	      for more specific recommendations or that the existing mitigations
109	      are too difficult to deploy.

111	   o  Technology has changed, e.g. the way browsers treat fragments in
112	      some situations, which may change the implicit grant's underlying
113	      security model.

115	   o  OAuth is used in much more dynamic setups than originally
116	      anticipated, creating new challenges with respect to security.
117	      Those challenges go beyond the original scope of RFC 6749
118	      [RFC6749], RFC 6750 [RFC6749], and RFC 6819 [RFC6819].

120	   OAuth initially assumed a static relationship between client,
121	   authorization server and resource servers.  The URLs of AS and RS
122	   were known to the client at deployment time and built an anchor for
123	   the trust relationsship among those parties.  The validation whether
124	   the client talks to a legitimate server was based on TLS server
125	   authentication (see [RFC6819], Section 4.5.4).  With the increasing
126	   adoption of OAuth, this simple model dissolved and, in several
127	   scenarios, was replaced by a dynamic establishment of the
128	   relationship between clients on one side and the authorization and
129	   resource servers of a particular deployment on the other side.  This
130	   way the same client could be used to access services of different
131	   providers (in case of standard APIs, such as e-Mail or OpenID
132	   Connect) or serves as a frontend to a particular tenant in a multi-
133	   tenancy.  Extensions of OAuth, such as [RFC7591] and
134	   [I-D.ietf-oauth-discovery] were developed in order to support the
135	   usage of OAuth in dynamic scenarios.  As a challenge to the
136	   community, such usage scenarios open up new attack angles, which are
137	   discussed in this document.

139	   The remainder of the document is organized as follows: The next
140	   section gives a summary of the set of security mechanisms and
141	   practices, the working group shall consider to recommend to OAuth
142	   implementers.  This is followed by a section proposing modifications
143	   to OAuth intended to either simplify its usage and to strengthen its
144	   security.

146	   The remainder of the draft gives a detailed analyses of the
147	   weaknesses and implementation issues, which can be found in the wild
148	   today, along with a discussion of potential counter measures.

150	2.  Best Practices

152	   This section describes the set of security mechanisms the authors
153	   believe should be taken into consideration by the OAuth working group
154	   to be recommended to OAuth implementers.

156	2.1.  Protecting redirect-based flows

158	   Authorization servers shall utilize exact matching of client redirect
159	   URIs against pre-registered URIs.  This measure contributes to the
160	   prevention of leakage of authorization codes and access tokens
161	   (depending on the grant type).  It also helps to detect mix up
162	   attacks.

164	   Clients shall avoid any redirects or forwards, which can be
165	   parameterized by URI query parameters, in order to provide a further
166	   layer of defence against token leakage.  If there is a need for this
167	   kind of redirects, clients are advised to implement appropriate
168	   counter measures against open redirection, e.g. as described by the
169	   OWASP [owasp].

171	   Clients shall ensure to only process redirect responses of the OAuth
172	   authorization server they send the respective request to and in the
173	   same user agent this request was initiated in.  In particular,
174	   clients shall implement appropriate XSRF prevention by utilizing one-
175	   time use XSRF tokens carried in the STATE parameter, which are
176	   securely bound to the user agent.  Moreover, the client shall store
177	   the authorization server's identity it sends an authorization request
178	   to in a transaction-specific manner, which is also bound to the
179	   particular user agent.  Furthermore, clients should use AS-specific
180	   redirect URIs as a means to identify the AS a particular response
181	   came from.  Matching this with the before mentioned information
182	   regarding the AS the client sent the request to helps to detect mix-
183	   up attacks.

185	   Note: [I-D.bradley-oauth-jwt-encoded-state] gives advice on how to
186	   implement XSRF prevention and AS matching using signed JWTs in the
187	   STATE parameter.

189	   Clients shall use PKCE [RFC7636] in order to (with the help of the
190	   authorization server) detect attempts to inject authorization codes
191	   into the authorization response.  The PKCE challenges must be
192	   transaction-specific and securely bound to the user agent, in which
193	   the transaction was started.

195	   Note: although PKCE so far was recommended as mechanism to protect
196	   native apps, this advice applies to all kinds of OAuth clients,
197	   including web applications.

199	2.2.  Token Leakage Prevention

201	   Authorization servers shall use TLS-based methods for sender
202	   constraint access tokens as described in section Section 4.7.1.2,
203	   such as token binding [I-D.ietf-oauth-token-binding] or Mutual TLS
204	   for OAuth 2.0 [I-D.ietf-oauth-mtls].  It is also recommend to use
205	   end-to-end TLS whenever possible.

207	3.  Recommended Changes to OAuth

209	   This section describes the set of modifications and extensions the
210	   authors believe should be taken into consideration by the OAuth
211	   working group change and extend OAuth in order to strengthen its
212	   security and make it simpler to implement.  It also recommends some
213	   changes to the OAuth set of specs.

215	   Remove requirement to check actual redirect URI at token endpoint -
216	   seems to be complicated to implement properly and could be
217	   compromised.  The protection goal is achieved even more effective by
218	   utilizing PKCE as recommended in Section 2.1.

220	4.  Attacks and Mitigations

222	4.1.  Insufficient redirect URI validation

224	   Some authorization servers allow clients to register redirect URI
225	   patterns instead of complete redirect URIs.  In those cases, the
226	   authorization server, at runtime, matches the actual redirect URI
227	   parameter value at the authorization endpoint against this pattern.
228	   This approach allows clients to encode transaction state into
229	   additional redirect URI parameters or to register just a single
230	   pattern for multiple redirect URIs.  As a downside, it turned out to
231	   be more complex to implement and error prone to manage than exact
232	   redirect URI matching.  Several successful attacks have been observed
233	   in the wild, which utilized flaws in the pattern matching
234	   implementation or concrete configurations.  Such a flaw effectively
235	   breaks client identification or authentication (depending on grant
236	   and client type) and allows the attacker to obtain an authorization
237	   code or access token, either:

239	   o  by directly sending the user agent to a URI under the attackers
240	      control or

242	   o  by exposing the OAuth credentials to an attacker by utilizing an
243	      open redirector at the client in conjunction with the way user
244	      agents handle URL fragments.

246	4.1.1.  Attacks on Authorization Code Grant

248	   For a public client using the grant type code, an attack would look
249	   as follows:

251	   Let's assume the redirect URL pattern "https://*.example.com/*" had
252	   been registered for the client "s6BhdRkqt3".  This pattern allows
253	   redirect URIs from any host residing in the domain example.com.  So
254	   if an attacker manager to establish a host or subdomain in
255	   "example.com" he can impersonate the legitimate client.  Assume the
256	   attacker sets up the host "evil.example.com".

258	   (1)  The attacker needs to trick the user into opening a tampered URL
259	        in his browser, which launches a page under the attacker's
260	        control, say "https://www.evil.com".

262	   (2)  This URL initiates an authorization request with the client id
263	        of a legitimate client to the authorization endpoint.  This is
264	        the example authorization request (line breaks are for display
265	        purposes only):

267	   GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
268	     &redirect_uri=https%3A%2F%2Fevil.example.com%2Fcb HTTP/1.1
269	   Host: server.example.com

271	   (1)  The authorization validates the redirect URI in order to
272	        identify the client.  Since the pattern allows arbitrary domains
273	        host names in "example.com", the authorization request is
274	        processed under the legitimate client's identity.  This includes
275	        the way the request for user consent is presented to the user.
276	        If auto-approval is allowed (which is not recommended for public
277	        clients according to RFC 6749), the attack can be performed even
278	        easier.

280	   (2)  If the user does not recognize the attack, the code is issued
281	        and directly sent to the attacker's client.

283	   (3)  Since the attacker impersonated a public client, it can directly
284	        exchange the code for tokens at the respective token endpoint.

286	   Note: This attack will not directly work for confidential clients,
287	   since the code exchange requires authentication with the legitimate
288	   client's secret.  The attacker will need to utilize the legitimate
289	   client to redeem the code (e.g. by mounting a code injection attack).
290	   This kind of injections is covered in Section Code Injection.

292	4.1.2.  Attacks on Implicit Grant

294	   The attack described above works for the implicit grant as well.  If
295	   the attacker is able to send the authorization response to a URI
296	   under his control, he will directly get access to the fragment
297	   carrying the access token.

299	   Additionally, implicit clients can be subject to a further kind of
300	   attacks.  It utilizes the fact that user agents re-attach fragments
301	   to the destination URL of a redirect if the location header does not
302	   contain a fragment (see [RFC7231], section 9.5).  The attack
303	   described here combines this behavior with the client as an open
304	   redirector in order to get access to access tokens.  This allows
305	   circumvention even of strict redirect URI patterns (but not strict
306	   URL matching!).

308	   Assume the pattern for client "s6BhdRkqt3" is
309	   "https://client.example.com/cb?*", i.e. any parameter is allowed for
310	   redirects to "https://client.example.com/cb".  Unfortunately, the
311	   client exposes an open redirector.  This endpoint supports a
312	   parameter "redirect_to", which takes a target URL and will send the
313	   browser to this URL using a HTTP 302.

315	   (1)  Same as above, the attacker needs to trick the user into opening
316	        a tampered URL in his browser, which launches a page under the
317	        attacker's control, say "https://www.evil.com".

319	   (2)  The URL initiates an authorization request, which is very
320	        similar to the attack on the code flow.  As differences, it
321	        utilizes the open redirector by encoding
322	        "redirect_to=https://client.evil.com" into the redirect URI and
323	        it uses the response type "token" (line breaks are for display
324	        purposes only):

326	   GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz
327	     &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb%26redirect_to
328	     %253Dhttps%253A%252F%252Fclient.evil.com%252Fcb HTTP/1.1
329	   Host: server.example.com

331	   (1)  Since the redirect URI matches the registered pattern, the
332	        authorization server allows the request and sends the resulting
333	        access token with a 302 redirect (some response parameters are
334	        omitted for better readability)

336	   HTTP/1.1 302 Found
337	     Location: https://client.example.com/cb?
338	     redirect_to%3Dhttps%3A%2F%2Fclient.evil.com%2Fcb
339	     #access_token=2YotnFZFEjr1zCsicMWpAA&...

341	   (2)  At the example.com, the request arrives at the open redirector.
342	        It will read the redirect parameter and will issue a HTTP 302 to
343	        the URL "https://evil.example.com/cb".

345	   HTTP/1.1 302 Found
346	        Location: https://client.evil.com/cb

348	   (3)  Since the redirector at example.com does not include a fragment
349	        in the Location header, the user agent will re-attach the
350	        original fragment
351	        "#access_token=2YotnFZFEjr1zCsicMWpAA&..." to the URL and will
352	        navigate to the following URL:

354	   https://client.evil.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA&...

356	   (4)  The attacker's page at client.evil.com can access the fragment
357	        and obtain the access token.

359	4.1.3.  Proposed Countermeasures

361	   The complexity of implementing and managing pattern matching
362	   correctly obviously causes security issues.  This document therefore
363	   proposes to simplify the required logic and configuration by using
364	   exact redirect URI matching only.  This means the authorization
365	   server shall compare the two URIs using simple string comparison as
366	   defined in [RFC3986], Section 6.2.1..

368	   This would cause the following impacts:

370	   o  This change will require all OAuth clients to maintain the
371	      transaction state (and XSRF tokens) in the "state" parameter.
372	      This is a normative change to RFC 6749 since section 3.1.2.2
373	      allows for dynamic URI query parameters in the redirect URI.  In
374	      order to assess the practical impact, the working group needs to
375	      collect data on whether this feature is really used in deployments
376	      today.

378	   o  The working group may also consider this change as a step towards
379	      improved interoperability for OAuth implementations since RFC 6749
380	      is somewhat vague on redirect URI validation.  Notably there are
381	      no rules for pattern matching.  One may therefore assume all
382	      clients utilizing pattern matching will do so in a deployment
383	      specific way.  On the other hand, RFC 6749 already recommends
384	      exact matching if the full URL had been registered.

386	   o  Clients with multiple redirect URIs need to register all of them
387	      explicitly.
388	      Note: clients with just a single redirect URI would not even need
389	      to send a redirect URI with the authorization request.  Does it
390	      make sense to emphasize this option?  Would that further simplify
391	      use of the protocol and foster security?

393	   o  Exact redirect matching does not work for native apps utilizing a
394	      local web server due to dynamic port numbers - at least wild cards
395	      for port numbers are required.
396	      Question: Does redirect uri validation solve any problem for
397	      native apps?  Effective against impersonation when used in
398	      conjunction with claimed HTTPS redirect URIs only.
399	      For Windows token broker exact redirect URI matching is important
400	      as the redirect URI encodes the app identity.  For custom scheme
401	      redirects there is a question however it is probably a useful part
402	      of defense in depth.

404	   Additional recommendations:

406	   o  Servers on which callbacks are hosted must not expose open
407	      redirectors (see respective section).

409	   o  Clients may drop fragments via intermediary URLs with "fix
410	      fragments" (e.g. https://developers.facebook.com/blog/post/552/)
411	      to prevent the user agent from appending any unintended fragments.

413	   Alternatives to exact redirect URI matching:

415	   o  authenticate client using digital signatures (JAR?
416	      https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-09)

418	4.2.  Authorization code leakage via referrer headers

420	   It is possible authorization codes are unintentionally disclosed to
421	   attackers, if a OAuth client renders a page containing links to other
422	   pages (ads, faq, ...) as result of a successful authorization
423	   request.

425	   If the user clicks onto one of those links and the target is under
426	   the control of an attacker, it can get access to the response URL in
427	   the referrer header.

429	   It is also possible that an attacker injects cross-domain content
430	   somehow into the page, such as <img> (f.e. if this is blog web site
431	   etc.): the implication is obviously the same - loading this content
432	   by browser results in leaking referrer with a code.

434	4.2.1.  Proposed Countermeasures

436	   There are some means to prevent leakage as described above:

438	   o  Use of the HTML link attribute rel="noreferrer" (Chrome
439	      52.0.2743.116, FF 49.0.1, Edge 38.14393.0.0, IE/Win10)

441	   o  Use of the "referrer" meta link attribute (possible values e.g.
442	      noreferrer, origin, ...) (cf. https://w3c.github.io/webappsec-
443	      referrer-policy/ - work in progress (seems Google, Chrome and Edge
444	      support it))

446	   o  Redirect to intermediate page (sanitize history) before sending
447	      user agent to other pages
448	      Note: double check redirect/referrer header behavior

450	   o  Use form post mode instead of redirect for authorization response
451	      (don't transport credentials via URL parameters and GET)

453	   Note: There shouldn't be a referer header when loading HTTP content
454	   from a HTTPS -loaded page (e.g. help/faq pages)

456	   Note: This kind of attack is not applicable to the implicit grant
457	   since fragments are not be included in referrer headers (cf.
458	   https://tools.ietf.org/html/rfc7231#section-5.5.2)

460	4.3.  Attacks in the Browser

462	4.3.1.  Code in browser history (TBD)

464	   When browser navigates to "client.com/redirection_endpoint?code=abcd"
465	   as a result of a redirect from a provider's authorization endpoint.

467	   Proposed countermeasures: code is one time use, has limited duration,
468	   is bound to client id/secret (confidential clients only)

470	4.3.2.  Access token in browser history (TBD)

472	   When a client or just a web site which already has a token
473	   deliberately navigates to a page like provider.com/
474	   get_user_profile?access_token=abcdef.. Actually RFC6750 discourages
475	   this practice and asks to transfer tokens via a header, but in
476	   practice web sites often just pass access token in query
477	   When browser navigates to client.com/
478	   redirection_endpoint#access_token=abcef as a result of a redirect
479	   from a provider's authorization endpoint.

481	   Proposal: replace implicit flow with postmessage communication

483	4.3.3.  Javascript Code stealing Access Tokens (TBD)

485	   sandboxing using service workers

487	4.4.  Mix-Up

489	   Mix-up is another kind of attack on more dynamic OAuth scenarios (or
490	   at least scenarios where a OAuth client interacts with multiple
491	   authorization servers).  The goal of the attack is to obtain an
492	   authorization code or an access token by tricking the client into
493	   sending those credentials to the attacker (which acts as MITM between
494	   client and authorization server)

496	   A detailed description of the attack and potential countermeasures is
497	   given in cf. https://tools.ietf.org/html/draft-ietf-oauth-mix-up-
498	   mitigation-01.

500	   Potential mitigations:

502	   o  AS returns client_id and its iss in the response.  Client compares
503	      this data to AS it believed it sent the user agent to.

505	   o  ID token carries client id and issuer (requires OpenID Connect)

507	   o  Clients use AS-specific redirect URIs, for every authorization
508	      request store intended AS and compare intention with actual
509	      redirect URI where the response was received (no change to OAuth
510	      required)

512	4.5.  Code Injection

514	   In such an attack, the adversary attempts to inject a stolen
515	   authorization code into a legitimate client on a device under his
516	   control.  In the simplest case, the attacker would want to use the
517	   code in his own client.  But there are situations where this might
518	   not be possible or intended.  Example are:

520	   o  The code is bound to a particular confidential client and the
521	      attacker is unable to obtain the required client credentials to
522	      redeem the code himself and/or

524	   o  The attacker wants to access certain functions in this particular
525	      client.  As an example, the attacker potentially wants to
526	      impersonate his victim in a certain app.

528	   o  Another example could be that access to the authorization and
529	      resource servers is some how limited to networks, the attackers is
530	      unable to access directly.

532	   How does an attack look like?

534	   (1)  The attacker obtains an authorization code by executing any of
535	        the attacks described above.

537	   (2)  It performs an OAuth authorization process with the legitimate
538	        client on his device.

540	   (3)  The attacker injects the stolen authorization code in the
541	        response of the authorization server to the legitimate client.

543	   (4)  The client sends the code to the authorization server's token
544	        endpoint, along with client id, client secret and actual
545	        redirect_uri.

547	   (5)  The authorization server checks the client secret, whether the
548	        code was issued to the particular client and whether the actual
549	        redirect URI matches the redirect_uri parameter.

551	   (6)  If all checks succeed, the authorization server issues access
552	        and other tokens to the client.

554	   (7)  The attacker just impersonated the victim.

556	   Obviously, the check in step (5) will fail, if the code was issued to
557	   another client id, e.g. a client set up by the attacker.

559	   An attempt to inject a code obtained via a malware pretending to be
560	   the legitimate client should also be detected, if the authorization
561	   server stored the complete redirect URI used in the authorization
562	   request and compares it with the redirect_uri parameter.

564	   [RFC6749], Section 4.1.3, requires the AS to ...  "ensure that the
565	   "redirect_uri" parameter is present if the "redirect_uri" parameter
566	   was included in the initial authorization request as described in
567	   Section 4.1.1, and if included ensure that their values are
568	   identical."  In the attack scenario described above, the legitimate
569	   client would use the correct redirect URI it always uses for
570	   authorization requests.  But this URI would not match the tampered
571	   redirect URI used by the attacker (otherwise, the redirect would not
572	   land at the attackers page).  So the authorization server would
573	   detect the attack and refuse to exchange the code.

575	   Note: this check could also detect attempt to inject a code, which
576	   had been obtained from another instance of the same client on another
577	   device, if certain conditions are fulfilled:

579	   o  the redirect URI itself needs to contain a nonce or another kind
580	      of one-time use, secret data and

582	   o  the client has bound this data to this particular instance

584	   But this approach conflicts with the idea to enforce exact redirect
585	   URI matching at the authorization endpoint.  Moreover, it has been
586	   observed that providers very often ignore the redirect_uri check
587	   requirement at this stage, maybe, because it doesn't seem to be
588	   security-critical from reading the spec.

590	   Other providers just pattern match the redirect_uri parameter against
591	   the registered redirect URI pattern.  This saves the authorization
592	   server from storing the link between the actual redirect URI and the
593	   respective authorization code for every transaction.  But this kind
594	   of check obviously does not fulfill the intent of the spec, since the
595	   tampered redirect URI is not considered.  So any attempt to inject a
596	   code obtained using the client_id of a legitimate client or by
597	   utilizing the legitimate client on another device won't be detected
598	   in the respective deployments.

600	   It is also assumed that the requirements defined in [RFC6749],
601	   Section 4.1.3, increase client implementation complexity as clients
602	   need to memorize or re-construct the correct redirect URI for the
603	   call to the tokens endpoint.

605	   The authors therefore propose to the working group to drop this
606	   feature in favor of more effective and (hopefully) simpler approaches
607	   to code injection prevention as described in the following section.

609	4.5.1.  Proposed Countermeasures

611	   The general proposal is to bind every particular authorization code
612	   to a certain client on a certain device (or in a certain user agent)
613	   in the context of a certain transaction.  There are multiple
614	   technical solutions to achieve this goal:

616	   Nonce   OpenID Connect's existing "nonce" parameter is used for this
617	           purpose.  The nonce value is one time use and created by the
618	           client.  The client is supposed to bind it to the user agent
619	           session and sends it with the initial request to the OpenId
620	           Provider (OP).  The OP associates the nonce to the
621	           authorization code and attests this binding in the ID token,
622	           which is issued as part of the code exchange at the token
623	           endpoint.  If an attacker injected an authorization code in
624	           the authorization response, the nonce value in the client
625	           session and the nonce value in the ID token will not match
626	           and the attack is detected.  assumption: attacker cannot get
627	           hold of the user agent state on the victims device, where he
628	           has stolen the respective authorization code.
629	           pro:
630	           - existing feature, used in the wild
631	           con:
632	           - OAuth does not have an ID Token - would need to push that
633	           down the stack

635	   Code-bound State  It has been discussed in the security workshop in
636	           December to use the OAuth state value much similar in the way
637	           as described above.  In the case of the state value, the idea
638	           is to add a further parameter state to the code exchange
639	           request.  The authorization server then compares the state
640	           value it associated with the code and the state value in the
641	           parameter.  If those values do not match, it is considered an
642	           attack and the request fails.  Note: a variant of this
643	           solution would be send a hash of the state (in order to
644	           prevent bulky requests and DoS).
645	           pro:
646	           - use existing concept
647	           con:
648	           - state needs to fulfil certain requirements (one time use,
649	           complexity)
650	           - new parameter means normative spec change

652	   PKCE    Basically, the PKCE challenge/verifier could be used in the
653	           same way as Nonce or State.  In contrast to its original
654	           intention, the verifier check would fail although the client
655	           uses its correct verifier but the code is associated with a
656	           challenge, which does not match.
657	           pro:
658	           - existing and deployed OAuth feature
659	           con:
660	           - currently used and recommended for native apps, not web
661	           apps

663	   Token Binding  Code must be bind to UA-AS and UA-Client legs -
664	           requires further data (extension to response) to manifest
665	           binding id for particular code.

667	           Note: token binding could be used in conjunction with PKCE as
668	           an option (https://tools.ietf.org/html/draft-ietf-oauth-
669	           token-binding-02#section-4).
670	           pro:
671	           - highly secure
672	           con:
673	           - highly sophisticated, requires browser support, will it
674	           work for native apps?

676	   per instance client id/secret  ...

678	   Note on pre-warmed secrets: An attacker can circumvent the
679	   countermeasures described above if he is able to create or capture
680	   the respective secret or code_challenge on a device under his
681	   control, which is then used in the victim's authorization request.
682	   Exact redirect URI matching of authorization requests can prevent the
683	   attacker from using the pre-warmed secret in the faked authorization
684	   transaction on the victim's device.
685	   Unfortunately it does not work for all kinds of OAuth clients.  It is
686	   effective for web and JS apps and for native apps with claimed URLs.
687	   What about other native apps?  Treat nonce or PKCE challenge as
688	   replay detection tokens (needs to ensure cluster-wide one-time use)?

690	4.6.  XSRF (TBD)

692	   injection of code or access token on a victim's device (e.g. to cause
693	   client to access resources under the attacker's control)

695	   mitigation: XSRF tokens (one time use) w/ user agent binding (cf.
696	   https://www.owasp.org/index.php/
697	   CrossSite_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)

699	4.7.  Access Token Leakage at the Resource Server

701	4.7.1.  Access Token Phishing by Counterfeit Resource Server

703	   An attacker may setup his own resource server and trick a client into
704	   sending access tokens to it, which are valid for other resource
705	   servers.  If the client sends a valid access token to this
706	   counterfeit resource server, the attacker in turn may use that token
707	   to access other services on behalf of the resource owner.

709	   This attack assumes the client is not bound to a certain resource
710	   server (and the respective URL) at development time, but client
711	   instances are configured with an resource server's URL at runtime.
712	   This kind of late binding is typical in situations, where the client
713	   uses a standard API, e.g. for e-Mail, calendar, health, or banking
714	   and is configured by an user or administrator for the standard-based
715	   service, this particular user or company uses.

717	   There are several potential mitigation strategies, which will be
718	   discussed in the following sections.

720	4.7.1.1.  Metadata

722	   An authorization server could provide the client with additional
723	   information about the location where it is safe to use its access
724	   tokens.

726	   In the simplest form, this would require the AS to publish a list of
727	   its known resource servers, illustrated in the following example
728	   using a metadata parameter "resource_servers":

730	   HTTP/1.1 200 OK
731	   Content-Type: application/json

733	   {
734	     "issuer":"https://server.example.com",
735	     "authorization_endpoint":"https://server.example.com/authorize",
736	     "resource_servers":[
737	       "email.example.com",
738	       "storage.example.com",
739	       "video.example.com"]
740	     ...
741	   }

743	   The AS could also return the URL(s) an access token is good for in
744	   the token response, illustrated by the example return parameter
745	   "access_token_resource_server":

747	HTTP/1.1 200 OK
748	Content-Type: application/json;charset=UTF-8
749	Cache-Control: no-store
750	Pragma: no-cache

752	{
753	  "access_token":"2YotnFZFEjr1zCsicMWpAA",
754	  "access_token_resource_server":"https://hostedresource.example.com/path1",
755	...
756	}

758	   This mitigation strategy would rely on the client to enforce the
759	   security policy and to only send access tokens to legitimate
760	   destinations.  Results of OAuth related security research (see for
761	   example [oauth_security_ubc] and [oauth_security_cmu]) indicate a
762	   large portion of client implementations do not or fail to properly
763	   implement security controls, like state checks.  So relying on
764	   clients to detect and properly handle access token phishing is likely
765	   to fail as well.  Moreover given the ratio of clients to
766	   authorization and resource servers, it is considered the more viable
767	   approach to move as much as possible security-related logic to those
768	   entities.  Clearly, the client has to contribute to the overall
769	   security.  But there are alternative counter measures, as described
770	   in the next sections, which provide a better balance between the
771	   involved parties.

773	4.7.1.2.  Sender Constrained Access Tokens

775	   As the name suggests, sender constraint access token scope the
776	   applicability of an access token to a certain sender.  This sender is
777	   obliged to demonstrate knowledge of a certain secret as prerequisite
778	   for the acceptance of that token at a resource server.

780	   A typical flow looks like this:

782	   1.  The authorization server associates data with the access token,
783	       which bind this particular token to a certain client.  The
784	       binding can utilize the client identity, but in most cases the AS
785	       utilizes key material (or data derived from the key material)
786	       known to the client.

788	   2.  This key material must be distributed somehow.  Either the key
789	       material already exists before the AS creates the binding or the
790	       AS creates ephemeral keys.  The way pre-existing key material is
791	       distributed varies among the different approaches.  For example,
792	       X.509 Certificates can be used in which case the distribution
793	       happens explicitly during the enrollment process.  Or the key
794	       material is created and distributed at the TLS layer, in which
795	       case it might automatically happens during the setup of a TLS
796	       connection.

798	   3.  The RS must implement the actual proof of possession check.  This
799	       is typically done on the application level, it may utilize
800	       capabilities of the transport layer (e.g.  TLS).  Note: replay
801	       detection is required as well!

803	   There exists several proposals to demonstrate the proof of possession
804	   in the scope of the OAuth working group:

806	   o  [I-D.ietf-oauth-token-binding]: In this approach, an access tokens
807	      is, via the so-called token binding id, bound to key material
808	      representing a long term association between a client and a
809	      certain TLS host.  Negotiation of the key material and proof of
810	      possession in the context of a TLS handshake is taken care of by
811	      the TLS stack.  The client needs to determine the token binding id
812	      of the target resource server and pass this data to the access
813	      token request.  The authorization server than associates the
814	      access token with this id.  The resource server checks on every
815	      invocation that the token binding id of the active TLS connection
816	      and the token binding id of associated with the access token
817	      match.  Since all crypto-related functions are covered by the TLS
818	      stack, this approach is very client developer friendly.  As a
819	      prerequisite, token binding as described in
820	      [I-D.ietf-tokbind-https] (including federated token bindings) must
821	      be supported on all ends (client, authorization server, resource
822	      server).

824	   o  [I-D.ietf-oauth-mtls]: The approach as specified in this document
825	      allow use of mutual TLS for both client authentication and sender
826	      constraint access tokens.  For the purpose of sender constraint
827	      access tokens, the client is identified towards the resource
828	      server by the fingerprint of its public key.  During processing of
829	      an access token request, the authorization server obtains the
830	      client's public key from the TLS stack and associates its
831	      fingerprint with the respective access tokens.  The resource
832	      server in the same way obtains the public key from the TLS stack
833	      and compares its fingerprint with the fingerprint associated with
834	      the access token.

836	   o  [I-D.ietf-oauth-signed-http-request] specifies an approach to sign
837	      HTTP requests.  It utilizes [I-D.ietf-oauth-pop-key-distribution]
838	      and represents the elements of the signature in a JSON object.
839	      The signature is built using JWS.  The mechanism has built-in
840	      support for signing of HTTP method, query parameters and headers.
841	      It also incorporates a timestamp as basis for replay detection.

843	   o  [I-D.sakimura-oauth-jpop]: this draft describes different ways to
844	      constrain access token usage, namely TLS or request signing.
845	      Note: Since the authors of this draft contributed the TLS-related
846	      proposal to [I-D.ietf-oauth-mtls], this document only considers
847	      the request signing part.  For request signing, the draft utilizes
848	      [I-D.ietf-oauth-pop-key-distribution] and RFC 7800 [RFC7800].  The
849	      signature data is represented in a JWT and JWS is used for
850	      signing.  Replay detection is provided by building the signature
851	      over a server-provided nonce, client-provided nonce and a nonce
852	      counter.

854	   [I-D.ietf-oauth-mtls] and [I-D.ietf-oauth-token-binding] are built on
855	   top of TLS and this way continue the successful OAuth 2.0 philosophy
856	   to leverage TLS to secure OAuth wherever possible.  Both mechanisms
857	   allow prevention of access token leakage in a fairly client developer
858	   friendly way.

860	   There are some differences between both approaches: To start with, in
861	   [I-D.ietf-oauth-token-binding] all key material is automatically
862	   managed by the TLS stack whereas [I-D.ietf-oauth-mtls] requires the
863	   developer to create and maintain the key pairs and respective
864	   certificates.  Use of self-signed certificates, which is supported by
865	   the draft, significantly reduce the complexity of this task.
866	   Furthermore, [I-D.ietf-oauth-token-binding] allows to use different
867	   key pairs for different resource servers, which is a privacy benefit.
868	   On the other hand, [I-D.ietf-oauth-mtls] only requires widely
869	   deployed TLS features, which means it might be easier to adopt in the
870	   short term.

872	   Application level signing approaches, like
873	   [I-D.ietf-oauth-signed-http-request] and [I-D.sakimura-oauth-jpop]
874	   have been debated for a long time in the OAuth working group without
875	   a clear outcome.

877	   As one advantage, application-level signing allows for end-to-end
878	   protection including non-repudiation even if the TLS connection is
879	   terminated between client and resource server.  But deployment
880	   experiences have revealed challenges regarding robustness (e.g.
881	   reproduction of the signature base string including correct URL) as
882	   well as state management (e.g. replay detection).

884	   This document therefore recommends implementors to consider one of
885	   TLS-based approaches wherever possible.

887	4.7.1.3.  Audience Restricted Access Tokens

889	   An audience restriction essentially restricts the resource server a
890	   particular access token can be used at.  The authorization server
891	   associates the access token with a certain resource server and every
892	   resource server is obliged to verify for every request, whether the
893	   access token send with that request was meant to be used at the
894	   particular resource server.  If not, the resource server must refuse
895	   to serve the respective request.  In the general case, audience
896	   restrictions limit the impact of a token leakage.  In the case of a
897	   counterfeit resource server, it may (as described see below) also
898	   prevent abuse of the phished access token at the legitimate resource
899	   server.

901	   The audience can basically be expressed using logical names or
902	   physical addresses (like URLs).  In order to detect phishing, it is
903	   necessary to use the actual URL the client will send requests to.  In
904	   the phishing case, this URL will point to the counterfeit resource
905	   server.  If the attacker tries to use the access token at the
906	   legitimate resource server (which has a different URL), the resource
907	   server will detect the mismatch (wrong audience) and refuse to serve
908	   the request.

910	   In deployments where the authorization server knows the URLs of all
911	   resource servers, the authorization server may just refuse to issue
912	   access tokens for unknown resource server URLs.

914	   The client needs to tell the authorization server, at which URL it
915	   will use the access token it is requesting.  It could use the
916	   mechanism proposed [I-D.campbell-oauth-resource-indicators] or encode
917	   the information in the scope value.

919	   Instead of the URL, it is also possible to utilize the fingerprint of
920	   the resource server's X.509 certificate as audience value.  This
921	   variant would also allow to detect an attempt to spoof the legit
922	   resource server's URL by using a valid TLS certificate obtained from
923	   a different CA.  It might also be considered a privacy benefit to
924	   hide the resource server URL from the authorization server.

926	   Audience restriction seems easy to use since it does not require any
927	   crypto on the client side.  But since every access token is bound to
928	   a certain resource server, the client also needs to obtain different
929	   RS-specific access tokens, if it wants to access several resource
930	   services.  [I-D.ietf-oauth-token-binding] has the same property,
931	   since different token binding ids must be associated with the access
932	   token.  [I-D.ietf-oauth-mtls] on the other hand allows a client to
933	   use the access token at multiple resource servers.

935	   It shall be noted that audience restrictions, or generally speaking
936	   an indication by the client to the authorization server where it
937	   wants to use the access token, has additional benefits beyond the
938	   scope of token leakage prevention.  It allows the authorization
939	   server to create different access token whose format and content is
940	   specifically minted for the respective server.  This has huge
941	   functional and privacy advantages in deployments using structured
942	   access tokens.

944	4.7.2.  Compromised Resource Server

946	   An attacker may compromise a resource server in order to get access
947	   to its resources and other resources of the respective deployment.
948	   Such a compromise may range from partial access to the system, e.g.
949	   its logfiles, to full control of the respective server.

951	   If the attacker was able to take over full control including shell
952	   access it will be able to circumvent all controls in place and access
953	   resources without access control.  It will also get access to access
954	   tokens, which are sent to the compromised system and which
955	   potentially are valid for access to other resource servers as well.
956	   Even if the attacker "only" is able to access logfiles or databases
957	   of the server system, it may get access to valid access tokens.

959	   Preventing and detecting server breaches by way of hardening and
960	   monitoring server systems is considered a standard operational
961	   procedure and therefore out of scope of this document.  This section
962	   will focus on the impact of such breaches on OAuth-related parts of
963	   the ecosystem, which is the replay of captured access tokens on the
964	   compromised resource server and other resource servers of the
965	   respective deployment.

967	   The following measures shall be taken into account by implementors in
968	   order to cope with access token replay:

970	   o  The resource server must treat access tokens like any other
971	      credentials.  It is considered good practice to not log them and
972	      not to store them in plain text.

974	   o  Sender constraint access tokens as described in Section 4.7.1.2
975	      will prevent the attacker from replaying the access tokens on
976	      other resource servers.  Depending on the severity of the
977	      penetration, it will also prevent replay on the compromised
978	      system.

980	   o  Audience restriction as described in Section 4.7.1.3 may be used
981	      to prevent replay of captured access tokens on other resource
982	      servers.

984	4.8.  Refresh Token Leakage (TBD)

986	   mitm, log files on the device, ...

988	   refresh token rotation, mutual TLS authentication at the token
989	   endpoint

991	4.9.  Open Redirection (TBD)

993	   Using the AS as Open Redirector - error handling AS (redirects)
994	   (draft-ietf-oauth-closing-redirectors-00)

996	   Using the Client as Open Redirector

998	4.10.  TLS Terminating Reverse Proxies

1000	   A common deployment architecture for HTTP applications is to have the
1001	   application server sitting behind a reverse proxy, which terminates
1002	   the TLS connection and dispatches the incoming requests to the
1003	   respective application server nodes.

1005	   This section highlights some attack angles of this deployment
1006	   architecture, which are relevant to OAuth, and give recommendations
1007	   for security controls.

1009	   In some situations, the reverse proxy needs to pass security-related
1010	   data to the upstream application servers for further processing.
1011	   Examples include the IP address of the request originator, token
1012	   binding ids and authenticated TLS client certificates.

1014	   If the reverse proxy would pass through any header sent from the
1015	   outside, an attacker could try to directly send the faked header
1016	   values through the proxy to the application server in order to
1017	   circumvent security controls that way.  For example, it is standard
1018	   practice of reverse proxies to accept "forwarded_for" headers and
1019	   just add the origin of the inbound request (making it a list).
1020	   Depending on the logic performed in the application server, the
1021	   attacker could simply add a whitelisted IP address to the header and
1022	   render a IP whitelist useless.  A reverse proxy must therefore
1023	   sanitize any inbound requests to ensure the authenticity and
1024	   integrity of all header values relevant for the security of the
1025	   application servers.

1027	   If an attacker would be able to get access to the internal network
1028	   between proxy and application server, it could also try to circumvent
1029	   security controls in place.  It is therefore important to ensure the
1030	   authenticity of the communicating entities.  Furthermore, the
1031	   communication link between reverse proxy and application server must
1032	   therefore be protected against tapping and injection (including
1033	   replay prevention).

1035	4.11.  Other Topics

1037	   o  redirect via status code 307 - use 302

1039	   o  why to rotate refresh tokens

1041	   o  how to support multi AS per RS

1043	   o  differentiate native, JS and web clients

1045	   o  do not put sensitive data in URL/GET parameters (Jim Manico)
1046	   o  Incorporate Christian Mainka's feedback

1048	   o  WPAD attack - https://www.blackhat.com/docs/us-16/materials/us-16-
1049	      Kotler-Crippling-HTTPS-With-Unholy-PAC.pdf

1051	5.  Acknowledgements

1053	   We would like to thank Jim Manico, Phil Hunt, and Brian Campbell for
1054	   their valuable feedback.

1056	6.  IANA Considerations

1058	   This draft includes no request to IANA.

1060	7.  Security Considerations

1062	   All relevant security considerations have been given in the
1063	   functional specification.

1065	8.  References

1067	8.1.  Normative References

1069	   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
1070	              Resource Identifier (URI): Generic Syntax", STD 66,
1071	              RFC 3986, DOI 10.17487/RFC3986, January 2005,
1072	              <https://www.rfc-editor.org/info/rfc3986>.

1074	   [RFC6749]  Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
1075	              RFC 6749, DOI 10.17487/RFC6749, October 2012,
1076	              <https://www.rfc-editor.org/info/rfc6749>.

1078	   [RFC6750]  Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
1079	              Framework: Bearer Token Usage", RFC 6750,
1080	              DOI 10.17487/RFC6750, October 2012,
1081	              <https://www.rfc-editor.org/info/rfc6750>.

1083	   [RFC6819]  Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
1084	              Threat Model and Security Considerations", RFC 6819,
1085	              DOI 10.17487/RFC6819, January 2013,
1086	              <https://www.rfc-editor.org/info/rfc6819>.

1088	   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
1089	              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
1090	              DOI 10.17487/RFC7231, June 2014,
1091	              <https://www.rfc-editor.org/info/rfc7231>.

1093	   [RFC7591]  Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and
1094	              P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol",
1095	              RFC 7591, DOI 10.17487/RFC7591, July 2015,
1096	              <https://www.rfc-editor.org/info/rfc7591>.

1098	8.2.  Informative References

1100	   [I-D.bradley-oauth-jwt-encoded-state]
1101	              Bradley, J., Lodderstedt, T., and H. Zandbelt, "Encoding
1102	              claims in the OAuth 2 state parameter using a JWT", draft-
1103	              bradley-oauth-jwt-encoded-state-07 (work in progress),
1104	              March 2017.

1106	   [I-D.campbell-oauth-resource-indicators]
1107	              Campbell, B., Bradley, J., and H. Tschofenig, "Resource
1108	              Indicators for OAuth 2.0", draft-campbell-oauth-resource-
1109	              indicators-02 (work in progress), November 2016.

1111	   [I-D.ietf-oauth-discovery]
1112	              Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0
1113	              Authorization Server Metadata", draft-ietf-oauth-
1114	              discovery-07 (work in progress), September 2017.

1116	   [I-D.ietf-oauth-mtls]
1117	              Campbell, B., Bradley, J., Sakimura, N., and T.
1118	              Lodderstedt, "Mutual TLS Profile for OAuth 2.0", draft-
1119	              ietf-oauth-mtls-05 (work in progress), November 2017.

1121	   [I-D.ietf-oauth-pop-key-distribution]
1122	              Bradley, J., Hunt, P., Jones, M., and H. Tschofenig,
1123	              "OAuth 2.0 Proof-of-Possession: Authorization Server to
1124	              Client Key Distribution", draft-ietf-oauth-pop-key-
1125	              distribution-03 (work in progress), February 2017.

1127	   [I-D.ietf-oauth-signed-http-request]
1128	              Richer, J., Bradley, J., and H. Tschofenig, "A Method for
1129	              Signing HTTP Requests for OAuth", draft-ietf-oauth-signed-
1130	              http-request-03 (work in progress), August 2016.

1132	   [I-D.ietf-oauth-token-binding]
1133	              Jones, M., Campbell, B., Bradley, J., and W. Denniss,
1134	              "OAuth 2.0 Token Binding", draft-ietf-oauth-token-
1135	              binding-05 (work in progress), October 2017.

1137	   [I-D.ietf-tokbind-https]
1138	              Popov, A., Nystrom, M., Balfanz, D., Langley, A., Harper,
1139	              N., and J. Hodges, "Token Binding over HTTP", draft-ietf-
1140	              tokbind-https-10 (work in progress), July 2017.

1142	   [I-D.sakimura-oauth-jpop]
1143	              Sakimura, N., Li, K., and J. Bradley, "The OAuth 2.0
1144	              Authorization Framework: JWT Pop Token Usage", draft-
1145	              sakimura-oauth-jpop-04 (work in progress), March 2017.

1147	   [oauth_security_cmu]
1148	              Carnegie Mellon University, Carnegie Mellon University,
1149	              Microsoft Research, Carnegie Mellon University, Carnegie
1150	              Mellon University, and Carnegie Mellon University, "OAuth
1151	              Demystified for Mobile Application Developers", November
1152	              2014.

1154	   [oauth_security_ubc]
1155	              University of British Columbia and University of British
1156	              Columbia, "The Devil is in the (Implementation) Details:
1157	              An Empirical Analysis of OAuth SSO Systems", October 2012,
1158	              <http://passwordresearch.com/papers/paper267.html>.

1160	   [owasp]    "Open Web Application Security Project Home Page",
1161	              <https://www.owasp.org/>.

1163	   [RFC7636]  Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key
1164	              for Code Exchange by OAuth Public Clients", RFC 7636,
1165	              DOI 10.17487/RFC7636, September 2015,
1166	              <https://www.rfc-editor.org/info/rfc7636>.

1168	   [RFC7800]  Jones, M., Bradley, J., and H. Tschofenig, "Proof-of-
1169	              Possession Key Semantics for JSON Web Tokens (JWTs)",
1170	              RFC 7800, DOI 10.17487/RFC7800, April 2016,
1171	              <https://www.rfc-editor.org/info/rfc7800>.

1173	Appendix A.  Document History

1175	   [[ To be removed from the final specification ]]

1177	   -04

1179	   o  Restructured document for better readability

1181	   o  Added best practices on Token Leakage prevention

1183	   -03

1185	   o  Added section on Access Token Leakage at Resource Server

1187	   o  incorporated Brian Campbell's findings

1189	   -02
1190	   o  Folded Mix up and Access Token leakage through a bad AS into new
1191	      section for dynamic OAuth threats

1193	   o  reworked dynamic OAuth section

1195	   -01

1197	   o  Added references to mitigation methods for token leakage

1199	   o  Added reference to Token Binding for Authorization Code

1201	   o  incorporated feedback of Phil Hunt

1203	   o  fixed numbering issue in attack descriptions in section 2

1205	   -00 (WG document)

1207	   o  turned the ID into a WG document and a BCP

1209	   o  Added federated app login as topic in Other Topics

1211	Authors' Addresses

1213	   Torsten Lodderstedt (editor)
1214	   YES.com AG

1216	   Email: torsten@lodderstedt.net

1218	   John Bradley
1219	   Yubico

1221	   Email: ve7jtb@ve7jtb.com

1223	   Andrey Labunets
1224	   Facebook

1226	   Email: isciurus@fb.com