< draft-ietf-oauth-security-topics-12.txt   draft-ietf-oauth-security-topics-13.txt >
Web Authorization Protocol T. Lodderstedt Web Authorization Protocol T. Lodderstedt
Internet-Draft yes.com Internet-Draft yes.com
Intended status: Best Current Practice J. Bradley Intended status: Best Current Practice J. Bradley
Expires: September 9, 2019 Yubico Expires: January 9, 2020 Yubico
A. Labunets A. Labunets
Facebook Facebook
D. Fett D. Fett
yes.com yes.com
March 8, 2019 July 8, 2019
OAuth 2.0 Security Best Current Practice OAuth 2.0 Security Best Current Practice
draft-ietf-oauth-security-topics-12 draft-ietf-oauth-security-topics-13
Abstract Abstract
This document describes best current security practice for OAuth 2.0. This document describes best current security practice for OAuth 2.0.
It updates and extends the OAuth 2.0 Security Threat Model to It updates and extends the OAuth 2.0 Security Threat Model to
incorporate practical experiences gathered since OAuth 2.0 was incorporate practical experiences gathered since OAuth 2.0 was
published and covers new threats relevant due to the broader published and covers new threats relevant due to the broader
application of OAuth 2.0. application of OAuth 2.0.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 9, 2019. This Internet-Draft will expire on January 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 19 skipping to change at page 2, line 19
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Structure . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Structure . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Conventions and Terminology . . . . . . . . . . . . . . . 4 1.2. Conventions and Terminology . . . . . . . . . . . . . . . 4
2. The Updated OAuth 2.0 Attacker Model . . . . . . . . . . . . 4 2. The Updated OAuth 2.0 Attacker Model . . . . . . . . . . . . 4
3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 6 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Protecting Redirect-Based Flows . . . . . . . . . . . . . 6 3.1. Protecting Redirect-Based Flows . . . . . . . . . . . . . 6
3.1.1. Authorization Code Grant . . . . . . . . . . . . . . 7 3.1.1. Authorization Code Grant . . . . . . . . . . . . . . 7
3.1.2. Implicit Grant . . . . . . . . . . . . . . . . . . . 7 3.1.2. Implicit Grant . . . . . . . . . . . . . . . . . . . 8
3.2. Token Replay Prevention . . . . . . . . . . . . . . . . . 8 3.2. Token Replay Prevention . . . . . . . . . . . . . . . . . 8
3.3. Access Token Privilege Restriction . . . . . . . . . . . 8 3.3. Access Token Privilege Restriction . . . . . . . . . . . 9
4. Attacks and Mitigations . . . . . . . . . . . . . . . . . . . 9 3.4. Resource Owner Password Credentials Grant . . . . . . . . 9
4.1. Insufficient Redirect URI Validation . . . . . . . . . . 9 3.5. Client Authentication . . . . . . . . . . . . . . . . . . 10
3.6. Other Recommendations . . . . . . . . . . . . . . . . . . 10
4. Attacks and Mitigations . . . . . . . . . . . . . . . . . . . 10
4.1. Insufficient Redirect URI Validation . . . . . . . . . . 10
4.1.1. Redirect URI Validation Attacks on Authorization Code 4.1.1. Redirect URI Validation Attacks on Authorization Code
Grant . . . . . . . . . . . . . . . . . . . . . . . . 9 Grant . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.2. Redirect URI Validation Attacks on Implicit Grant . . 10 4.1.2. Redirect URI Validation Attacks on Implicit Grant . . 12
4.1.3. Proposed Countermeasures . . . . . . . . . . . . . . 12 4.1.3. Proposed Countermeasures . . . . . . . . . . . . . . 13
4.2. Credential Leakage via Referrer Headers . . . . . . . . . 12 4.2. Credential Leakage via Referrer Headers . . . . . . . . . 14
4.2.1. Leakage from the OAuth Client . . . . . . . . . . . . 13 4.2.1. Leakage from the OAuth Client . . . . . . . . . . . . 14
4.2.2. Leakage from the Authorization Server . . . . . . . . 13 4.2.2. Leakage from the Authorization Server . . . . . . . . 14
4.2.3. Consequences . . . . . . . . . . . . . . . . . . . . 13 4.2.3. Consequences . . . . . . . . . . . . . . . . . . . . 14
4.2.4. Proposed Countermeasures . . . . . . . . . . . . . . 13 4.2.4. Proposed Countermeasures . . . . . . . . . . . . . . 14
4.3. Attacks through the Browser History . . . . . . . . . . . 14 4.3. Attacks through the Browser History . . . . . . . . . . . 15
4.3.1. Code in Browser History . . . . . . . . . . . . . . . 14 4.3.1. Code in Browser History . . . . . . . . . . . . . . . 16
4.3.2. Access Token in Browser History . . . . . . . . . . . 15 4.3.2. Access Token in Browser History . . . . . . . . . . . 16
4.4. Mix-Up . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.4. Mix-Up . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.4.1. Attack Description . . . . . . . . . . . . . . . . . 15 4.4.1. Attack Description . . . . . . . . . . . . . . . . . 17
4.4.2. Countermeasures . . . . . . . . . . . . . . . . . . . 17 4.4.2. Countermeasures . . . . . . . . . . . . . . . . . . . 18
4.5. Authorization Code Injection . . . . . . . . . . . . . . 18 4.5. Authorization Code Injection . . . . . . . . . . . . . . 19
4.5.1. Attack Description . . . . . . . . . . . . . . . . . 18 4.5.1. Attack Description . . . . . . . . . . . . . . . . . 19
4.5.2. Discussion . . . . . . . . . . . . . . . . . . . . . 19 4.5.2. Discussion . . . . . . . . . . . . . . . . . . . . . 20
4.5.3. Proposed Countermeasures . . . . . . . . . . . . . . 20 4.5.3. Proposed Countermeasures . . . . . . . . . . . . . . 21
4.6. Access Token Injection . . . . . . . . . . . . . . . . . 21 4.6. Access Token Injection . . . . . . . . . . . . . . . . . 23
4.6.1. Proposed Countermeasures . . . . . . . . . . . . . . 22 4.6.1. Proposed Countermeasures . . . . . . . . . . . . . . 23
4.7. Cross Site Request Forgery . . . . . . . . . . . . . . . 22 4.7. Cross Site Request Forgery . . . . . . . . . . . . . . . 23
4.7.1. Proposed Countermeasures . . . . . . . . . . . . . . 22 4.7.1. Proposed Countermeasures . . . . . . . . . . . . . . 23
4.8. Access Token Leakage at the Resource Server . . . . . . . 22 4.8. Access Token Leakage at the Resource Server . . . . . . . 24
4.8.1. Access Token Phishing by Counterfeit Resource Server 22 4.8.1. Access Token Phishing by Counterfeit Resource Server 24
4.8.2. Compromised Resource Server . . . . . . . . . . . . . 28 4.8.2. Compromised Resource Server . . . . . . . . . . . . . 29
4.9. Open Redirection . . . . . . . . . . . . . . . . . . . . 28 4.9. Open Redirection . . . . . . . . . . . . . . . . . . . . 30
4.9.1. Authorization Server as Open Redirector . . . . . . . 29 4.9.1. Authorization Server as Open Redirector . . . . . . . 30
4.9.2. Clients as Open Redirector . . . . . . . . . . . . . 29 4.9.2. Clients as Open Redirector . . . . . . . . . . . . . 31
4.10. 307 Redirect . . . . . . . . . . . . . . . . . . . . . . 29 4.10. 307 Redirect . . . . . . . . . . . . . . . . . . . . . . 31
4.11. TLS Terminating Reverse Proxies . . . . . . . . . . . . . 30 4.11. TLS Terminating Reverse Proxies . . . . . . . . . . . . . 32
4.12. Refresh Token Protection . . . . . . . . . . . . . . . . 31 4.12. Refresh Token Protection . . . . . . . . . . . . . . . . 32
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 33 4.13. Client Impersonating Resource Owner . . . . . . . . . . . 34
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 4.13.1. Proposed Countermeasures . . . . . . . . . . . . . . 35
7. Security Considerations . . . . . . . . . . . . . . . . . . . 33 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 33 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35
8.1. Normative References . . . . . . . . . . . . . . . . . . 33 7. Security Considerations . . . . . . . . . . . . . . . . . . . 35
8.2. Informative References . . . . . . . . . . . . . . . . . 34 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 35
Appendix A. Document History . . . . . . . . . . . . . . . . . . 37 8.1. Normative References . . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 8.2. Informative References . . . . . . . . . . . . . . . . . 36
Appendix A. Document History . . . . . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42
1. Introduction 1. Introduction
Since its publication in [RFC6749] and [RFC6750], OAuth 2.0 has Since its publication in [RFC6749] and [RFC6750], OAuth 2.0 has
gotten massive traction in the market and became the standard for API gotten massive traction in the market and became the standard for API
protection and, as foundation of OpenID Connect [OpenID], identity protection and, as the foundation of OpenID Connect [OpenID],
providing. While OAuth was used in a variety of scenarios and identity providing. While OAuth was used in a variety of scenarios
different kinds of deployments, the following challenges could be and different kinds of deployments, the following challenges could be
observed: observed:
o OAuth implementations are being attacked through known o OAuth implementations are being attacked through known
implementation weaknesses and anti-patterns (CSRF, referrer implementation weaknesses and anti-patterns (CSRF, referrer
header). Although most of these threats are discussed in the header). Although most of these threats are discussed in the
OAuth 2.0 Threat Model and Security Considerations [RFC6819], OAuth 2.0 Threat Model and Security Considerations [RFC6819],
continued exploitation demonstrates there may be a need for more continued exploitation demonstrates there may be a need for more
specific recommendations or that the existing mitigations are too specific recommendations, that the existing mitigations may be too
difficult to deploy. difficult to deploy, and that more defense in depth is needed.
o Technology has changed, e.g., the way browsers treat fragments in o Technology has changed, e.g., the way browsers treat fragments in
some situations, which may change the implicit grant's underlying some situations, which changes the implicit grant's underlying
security model. security model.
o OAuth is used in much more dynamic setups than originally o OAuth is being used in environments with higher security
requirements than considered initially, such as Open Banking,
eHealth, eGovernment, and Electronic Signatures. Those use cases
call for stricter guidelines and additional protection.
o OAuth is being used in much more dynamic setups than originally
anticipated, creating new challenges with respect to security. anticipated, creating new challenges with respect to security.
Those challenges go beyond the original scope of [RFC6749], Those challenges go beyond the original scope of [RFC6749],
[RFC6749], and [RFC6819]. [RFC6750], and [RFC6819].
Moreover, OAuth is being adopted in use cases with higher security
requirements than considered initially, such as Open Banking,
eHealth, eGovernment, and Electronic Signatures. Those use cases
call for stricter guidelines and additional protection.
OAuth initially assumed a static relationship between client, OAuth initially assumed a static relationship between client,
authorization server and resource servers. The URLs of AS and RS authorization server and resource servers. The URLs of AS and RS
were known to the client at deployment time and built an anchor for were known to the client at deployment time and built an anchor for
the trust relationship among those parties. The validation whether the trust relationship among those parties. The validation whether
the client talks to a legitimate server was based on TLS server the client talks to a legitimate server was based on TLS server
authentication (see [RFC6819], Section 4.5.4). With the increasing authentication (see [RFC6819], Section 4.5.4). With the increasing
adoption of OAuth, this simple model dissolved and, in several adoption of OAuth, this simple model dissolved and, in several
scenarios, was replaced by a dynamic establishment of the scenarios, was replaced by a dynamic establishment of the
relationship between clients on one side and the authorization and relationship between clients on one side and the authorization and
resource servers of a particular deployment on the other side. This resource servers of a particular deployment on the other side. This
way the same client could be used to access services of different way the same client could be used to access services of different
providers (in case of standard APIs, such as e-Mail or OpenID providers (in case of standard APIs, such as e-mail or OpenID
Connect) or serves as a frontend to a particular tenant in a multi- Connect) or serves as a frontend to a particular tenant in a multi-
tenancy. Extensions of OAuth, such as [RFC7591] and [RFC8414] were tenancy. Extensions of OAuth, such as [RFC7591] and [RFC8414] were
developed in order to support the usage of OAuth in dynamic developed in order to support the usage of OAuth in dynamic
scenarios. As a challenge to the community, such usage scenarios scenarios. As a challenge to the community, such usage scenarios
open up new attack angles, which are discussed in this document. open up new attack angles, which are discussed in this document.
1.1. Structure 1.1. Structure
The remainder of the document is organized as follows: The next The remainder of the document is organized as follows: The next
section updates the OAuth attacker model. Afterwards, the most section updates the OAuth attacker model. Afterwards, the most
skipping to change at page 4, line 41 skipping to change at page 4, line 46
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. The Updated OAuth 2.0 Attacker Model 2. The Updated OAuth 2.0 Attacker Model
In [RFC6819], an attacker model was laid out that described the In [RFC6819], an attacker model was laid out that described the
capabilities of attackers against which OAuth deployments must capabilities of attackers against which OAuth deployments must
defend. In the following, this attacker model is updated to account defend. In the following, this attacker model is updated to account
for the potentially dynamic relationships involving multiple parties for the potentially dynamic relationships involving multiple parties
(as described above), to include new types of attackers, and to make (as described above), to include new types of attackers, and to
it more clearly defined. define the attacker model more clearly.
OAuth 2.0 aims to ensure that the authorization of the resource owner OAuth 2.0 MUST ensure that the authorization of the resource owner
(RO) (with a user agent) at an authorization server (AS) and the (RO) (with a user agent) at an authorization server (AS) and the
subsequent usage of the access token at the resource server (RS) is subsequent usage of the access token at the resource server (RS) is
protected at least against the following attackers: protected at least against the following attackers:
o (A1) Web Attackers that control an arbitrary number of network o (A1) Web Attackers that control an arbitrary number of network
endpoints (except for RO, AS, and RS). Web attackers may set up endpoints (except for the concrete RO, AS, and RS). Web attackers
web sites that are visited by the RO, operate their own user may set up web sites that are visited by the RO, operate their own
agents, participate in the protocol using their own user user agents, participate in the protocol using their own user
credentials, etc. credentials, etc.
Web attackers may, in particular, operate OAuth clients that are Web attackers may, in particular, operate OAuth clients that are
registered at AS, and operate their own authorization and resource registered at AS, and operate their own authorization and resource
servers that can be used (in parallel) by ROs. servers that can be used (in parallel) by ROs.
It must also be assumed that web attackers can lure the user to It must also be assumed that web attackers can lure the user to
open arbitrary attacker-chosen URIs at any time. This can be open arbitrary attacker-chosen URIs at any time. This can be
achieved through many ways, for example, by injecting malicious achieved through many ways, for example, by injecting malicious
advertisements into advertisement networks, or by sending legit- advertisements into advertisement networks, or by sending legit-
looking emails. looking emails.
o (A2) Network Attackers that additionally have full control over o (A2) Network Attackers that additionally have full control over
the network over which protocol participants communicate. They the network over which protocol participants communicate. They
can eavesdrop on, manipulate, and spoof messages, except when can eavesdrop on, manipulate, and spoof messages, except when
these are properly protected by cryptographic methods (e.g., TLS). these are properly protected by cryptographic methods (e.g., TLS).
Network attacker can also block specific messages. Network attackers can also block arbitrary messages.
These attackers conform to the attacker model that was used in formal These attackers conform to the attacker model that was used in formal
analysis efforts for OAuth [arXiv.1601.01229]. Previous attacks on analysis efforts for OAuth [arXiv.1601.01229]. Previous attacks on
OAuth have shown that OAuth deployments should protect against an OAuth have shown that OAuth deployments SHOULD protect against an
even strong attacker model that is described as follows: even stronger attacker model that is described as follows:
o (A3) Attackers that can read, but not modify, the contents of the o (A3) Attackers that can read, but not modify, the contents of the
authorization response (i.e., the authorization response can leak authorization response (i.e., the authorization response can leak
to an attacker). to an attacker).
Examples for such attacks include open redirector attacks, Examples for such attacks include open redirector attacks,
problems existing on mobile operating systems (where different problems existing on mobile operating systems (where different
apps can register themselves on the same URI), so-called mix-up apps can register themselves on the same URI), so-called mix-up
attacks, where the client is tricked into sending credentials to a attacks, where the client is tricked into sending credentials to a
attacker-controlled AS, and the fact that URLs are often stored/ attacker-controlled AS, and the fact that URLs are often stored/
logged by browsers (history), proxy servers, and operating logged by browsers (history), proxy servers, and operating
skipping to change at page 5, line 47 skipping to change at page 5, line 51
o (A4) Attackers that can read, but not modify, the contents of the o (A4) Attackers that can read, but not modify, the contents of the
authorization request (i.e., the authorization request can leak, authorization request (i.e., the authorization request can leak,
in the same manner as above, to an attacker). in the same manner as above, to an attacker).
o (A5) Attackers that control a resource server used by RO with an o (A5) Attackers that control a resource server used by RO with an
access token issued by AS. For example, a resource server can be access token issued by AS. For example, a resource server can be
compromised by an attacker, an access token may be sent to an compromised by an attacker, an access token may be sent to an
attacker-controlled resource server due to a misconfiguration, or attacker-controlled resource server due to a misconfiguration, or
an RO is social-engineered into using a attacker-controlled RS. an RO is social-engineered into using a attacker-controlled RS.
Note that in this attacker model, an attacker can be a RO or act as Note that in this attacker model, an attacker (see A1) can be a RO or
one (see A1). For example, an attacker can use his own browser to act as one. For example, an attacker can use his own browser to
replay tokens or authorization codes obtained by any of the attacks replay tokens or authorization codes obtained by any of the attacks
described above at the client or RS. described above at the client or RS.
This document discusses the additional threats resulting from these This document discusses the additional threats resulting from these
attackers in detail and recommends suitable mitigations. attackers in detail and recommends suitable mitigations. Attacks in
an even stronger attacker model are discussed, for example, in
[arXiv.1901.11520].
This is a minimal attacker model. Implementers MUST take into This is a minimal attacker model. Implementers MUST take into
account all possible attackers in the environment in which their account all possible attackers in the environment in which their
OAuth implementations are expected to run. OAuth implementations are expected to run.
3. Recommendations 3. Recommendations
This section describes the set of security mechanisms the OAuth This section describes the set of security mechanisms the OAuth
working group recommends to OAuth implementers. working group recommends to OAuth implementers.
skipping to change at page 6, line 30 skipping to change at page 6, line 34
URIs against pre-registered URIs. This measure contributes to the URIs against pre-registered URIs. This measure contributes to the
prevention of leakage of authorization codes and access tokens prevention of leakage of authorization codes and access tokens
(depending on the grant type). It also helps to detect mix-up (depending on the grant type). It also helps to detect mix-up
attacks. attacks.
Clients SHOULD avoid forwarding the user's browser to a URI obtained Clients SHOULD avoid forwarding the user's browser to a URI obtained
from a query parameter since such a function could be utilized to from a query parameter since such a function could be utilized to
exfiltrate authorization codes and access tokens. If there is a exfiltrate authorization codes and access tokens. If there is a
strong need for this kind of redirects, clients are advised to strong need for this kind of redirects, clients are advised to
implement appropriate countermeasures against open redirection, e.g., implement appropriate countermeasures against open redirection, e.g.,
as described by the OWASP [owasp]. as described by OWASP [owasp].
Clients MUST prevent CSRF and ensure that each authorization response Clients MUST prevent CSRF. One-time use CSRF tokens carried in the
is only accepted once. One-time use CSRF tokens carried in the
"state" parameter, which are securely bound to the user agent, SHOULD "state" parameter, which are securely bound to the user agent, SHOULD
be used for that purpose. be used for that purpose. If PKCE [RFC7636] is used by the client
and the authorization server supports PKCE, clients MAY opt to not
use "state" for CSRF protection, as such protection is provided by
PKCE. In this case, "state" MAY be used again for its original
purpose, namely transporting data about the application state of the
client (see Section 4.7.1).
In order to prevent mix-up attacks, clients MUST only process In order to prevent mix-up attacks, clients MUST only process
redirect responses of the OAuth authorization server they sent the redirect responses of the OAuth authorization server they sent the
respective request to and from the same user agent this authorization respective request to and from the same user agent this authorization
request was initiated with. Clients MUST memorize which request was initiated with. Clients MUST memorize which
authorization server they sent an authorization request to and bind authorization server they sent an authorization request to and bind
this information to the user agent and ensure any sub-sequent this information to the user agent and ensure any sub-sequent
messages are sent to the same authorization server. Clients SHOULD messages are sent to the same authorization server. Clients SHOULD
use AS-specific redirect URIs as a means to identify the AS a use AS-specific redirect URIs as a means to identify the AS a
particular response came from. particular response came from.
skipping to change at page 7, line 25 skipping to change at page 7, line 31
transaction-specific and securely bound to the user agent in which transaction-specific and securely bound to the user agent in which
the transaction was started and the respective client. OpenID the transaction was started and the respective client. OpenID
Connect clients MAY use the "nonce" parameter of the OpenID Connect Connect clients MAY use the "nonce" parameter of the OpenID Connect
authentication request as specified in [OpenID] in conjunction with authentication request as specified in [OpenID] in conjunction with
the corresponding ID Token claim for the same purpose. the corresponding ID Token claim for the same purpose.
Note: although PKCE so far was recommended as a mechanism to protect Note: although PKCE so far was recommended as a mechanism to protect
native apps, this advice applies to all kinds of OAuth clients, native apps, this advice applies to all kinds of OAuth clients,
including web applications. including web applications.
Authorization servers SHOULD use client authentication if possible. Clients SHOULD use PKCE code challenge methods that do not expose the
PKCE verifier in the authorization request. (Otherwise, the attacker
A4 can trivially break the security provided by PKCE.) Currently,
"S256" is the only such method.
AS MUST support PKCE [!@RFC7636].
AS SHOULD provide a way to detect their support for PKCE. To this
end, they SHOULD either (a) publish, in their AS metadata
([!@RFC8418]), the element "code_challenge_methods_supported"
containing the supported PKCE challenge methods (which can be used by
the client to detect PKCE support) or (b) provide a deployment-
specific way to ensure or determine PKCE support by the AS.
Authorization servers SHOULD furthermore consider the recommendations Authorization servers SHOULD furthermore consider the recommendations
given in [RFC6819], Section 4.4.1.1, on authorization code replay given in [RFC6819], Section 4.4.1.1, on authorization code replay
prevention. prevention.
3.1.2. Implicit Grant 3.1.2. Implicit Grant
The implicit grant (response type "token") and other response types The implicit grant (response type "token") and other response types
causing the authorization server to issue access tokens in the causing the authorization server to issue access tokens in the
authorization response are vulnerable to access token leakage and authorization response are vulnerable to access token leakage and
skipping to change at page 7, line 51 skipping to change at page 8, line 25
is recommended in Section 3.2. This makes replay detection for such is recommended in Section 3.2. This makes replay detection for such
access tokens at resource servers impossible. access tokens at resource servers impossible.
In order to avoid these issues, clients SHOULD NOT use the implicit In order to avoid these issues, clients SHOULD NOT use the implicit
grant (response type "token") or any other response type issuing grant (response type "token") or any other response type issuing
access tokens in the authorization response, such as "token id_token" access tokens in the authorization response, such as "token id_token"
and "code token id_token", unless the issued access tokens are and "code token id_token", unless the issued access tokens are
sender-constrained and access token injection in the authorization sender-constrained and access token injection in the authorization
response is prevented. response is prevented.
A sender constrained access token scopes the applicability of an A sender-constrained access token scopes the applicability of an
access token to a certain sender. This sender is obliged to access token to a certain sender. This sender is obliged to
demonstrate knowledge of a certain secret as prerequisite for the demonstrate knowledge of a certain secret as prerequisite for the
acceptance of that token at the recipient (e.g., a resource server). acceptance of that token at the recipient (e.g., a resource server).
Clients SHOULD instead use the response type "code" (aka Clients SHOULD instead use the response type "code" (aka
authorization code grant type) as specified in Section 3.1.1 or any authorization code grant type) as specified in Section 3.1.1 or any
other response type that causes the authorization server to issue other response type that causes the authorization server to issue
access tokens in the token response. This allows the authorization access tokens in the token response. This allows the authorization
server to detect replay attempts and generally reduces the attack server to detect replay attempts and generally reduces the attack
surface since access tokens are not exposed in URLs. It also allows surface since access tokens are not exposed in URLs. It also allows
the authorization server to sender-constrain the issued tokens. the authorization server to sender-constrain the issued tokens.
3.2. Token Replay Prevention 3.2. Token Replay Prevention
Authorization servers SHOULD use TLS-based methods for sender- Authorization servers SHOULD use TLS-based methods for sender-
constrained access tokens as described in Section 4.8.1.2, such as constrained access tokens as described in Section 4.8.1.2, such as
token binding [I-D.ietf-oauth-token-binding] or Mutual TLS for OAuth token binding [I-D.ietf-oauth-token-binding] or Mutual TLS for OAuth
2.0 [I-D.ietf-oauth-mtls] in order to prevent token replay. Refresh 2.0 [I-D.ietf-oauth-mtls] in order to prevent token replay. Refresh
tokens MUST be sender-constrained or use refresh token rotation as tokens MUST be sender-constrained or use refresh token rotation as
described in Section 4.12. It is also recommended to use end-to-end described in Section 4.12.
TLS whenever possible.
It is recommended to use end-to-end TLS whenever possible. If TLS
traffic needs to be terminated at an intermediary, refer to
Section 4.11 for further security advice.
3.3. Access Token Privilege Restriction 3.3. Access Token Privilege Restriction
The privileges associated with an access token SHOULD be restricted The privileges associated with an access token SHOULD be restricted
to the minimum required for the particular application or use case. to the minimum required for the particular application or use case.
This prevents clients from exceeding the privileges authorized by the This prevents clients from exceeding the privileges authorized by the
resource owner. It also prevents users from exceeding their resource owner. It also prevents users from exceeding their
privileges authorized by the respective security policy. Privilege privileges authorized by the respective security policy. Privilege
restrictions also limit the impact of token leakage although more restrictions also limit the impact of token leakage although more
effective counter-measures are described in Section 3.2. effective counter-measures are described in Section 3.2.
skipping to change at page 9, line 10 skipping to change at page 9, line 38
and actions on resource servers or resources. To put this into and actions on resource servers or resources. To put this into
effect, the authorization server associates the access token with the effect, the authorization server associates the access token with the
respective resource and actions and every resource server is obliged respective resource and actions and every resource server is obliged
to verify for every request, whether the access token sent with that to verify for every request, whether the access token sent with that
request was meant to be used for that particular action on the request was meant to be used for that particular action on the
particular resource. If not, the resource server must refuse to particular resource. If not, the resource server must refuse to
serve the respective request. Clients and authorization servers MAY serve the respective request. Clients and authorization servers MAY
utilize the parameter "scope" as specified in [RFC6749] to determine utilize the parameter "scope" as specified in [RFC6749] to determine
those resources and/or actions. those resources and/or actions.
3.4. Resource Owner Password Credentials Grant
The resource owner password credentials grant MUST NOT be used. This
grant type insecurely exposes the credentials of the resource owner
to the client. Even if the client is benign, this results in an
increased attack surface (credentials can leak in more places than
just the AS) and users are trained to enter their credentials in
places other than the AS.
Furthermore, adapting the resource owner password credentials grant
to two-factor authentication, authentication with cryptographic
credentials, and authentication processes that require multiple steps
can be hard or impossible (WebCrypto, WebAuthn).
3.5. Client Authentication
Authorization servers SHOULD use client authentication if possible.
It is RECOMMENDED to use asymmetric (public key based) methods for
client authentication such as MTLS [I-D.draft-ietf-oauth-mtls] or
"private_key_jwt" [OIDC]. When asymmetric methods for client
authentication are used, authorization servers do not need to store
sensitive symmetric keys, making these methods more robust against a
number of attacks. Additionally, these methods enable non-repudation
and work well with sender-constrained access tokens (without
requiring additional keys to be distributed).
3.6. Other Recommendations
Authorization servers SHOULD NOT allow clients to influence their
"client_id" or "sub" value or any other claim that might cause
confusion with a genuine resource owner (see Section 4.13).
4. Attacks and Mitigations 4. Attacks and Mitigations
This section gives a detailed description of attacks on OAuth This section gives a detailed description of attacks on OAuth
implementations, along with potential countermeasures. This section implementations, along with potential countermeasures. This section
complements and enhances the description given in [RFC6819]. complements and enhances the description given in [RFC6819].
4.1. Insufficient Redirect URI Validation 4.1. Insufficient Redirect URI Validation
Some authorization servers allow clients to register redirect URI Some authorization servers allow clients to register redirect URI
patterns instead of complete redirect URIs. In those cases, the patterns instead of complete redirect URIs. In those cases, the
skipping to change at page 10, line 21 skipping to change at page 11, line 34
This URL initiates an authorization request with the client id of a This URL initiates an authorization request with the client id of a
legitimate client to the authorization endpoint. This is the example legitimate client to the authorization endpoint. This is the example
authorization request (line breaks are for display purposes only): authorization request (line breaks are for display purposes only):
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=9ad67f13 GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=9ad67f13
&redirect_uri=https%3A%2F%2Fevil.somesite.example%2Fcb HTTP/1.1 &redirect_uri=https%3A%2F%2Fevil.somesite.example%2Fcb HTTP/1.1
Host: server.somesite.example Host: server.somesite.example
Afterwards, the authorization server validates the redirect URI in Afterwards, the authorization server validates the redirect URI in
order to identify the client. Since the pattern allows arbitrary order to identify the client. Since the pattern allows arbitrary
domains host names in "somesite.example", the authorization request host names in "somesite.example", the authorization request is
is processed under the legitimate client's identity. This includes processed under the legitimate client's identity. This includes the
the way the request for user consent is presented to the user. If way the request for user consent is presented to the user. If auto-
auto-approval is allowed (which is not recommended for public clients approval is allowed (which is not recommended for public clients
according to [RFC6749]), the attack can be performed even easier. according to [RFC6749]), the attack can be performed even easier.
If the user does not recognize the attack, the code is issued and If the user does not recognize the attack, the code is issued and
immediately sent to the attacker's client. immediately sent to the attacker's client.
Since the attacker impersonated a public client, it can exchange the Since the attacker impersonated a public client, it can exchange the
code for tokens at the respective token endpoint. code for tokens at the respective token endpoint.
Note: This attack will not work as easily for confidential clients, Note: This attack will not work as easily for confidential clients,
since the code exchange requires authentication with the legitimate since the code exchange requires authentication with the legitimate
skipping to change at page 15, line 10 skipping to change at page 16, line 23
Proposed countermeasures: Proposed countermeasures:
o Authorization code replay prevention as described in [RFC6819], o Authorization code replay prevention as described in [RFC6819],
Section 4.4.1.1, and Section 4.5 Section 4.4.1.1, and Section 4.5
o Use form post response mode instead of redirect for authorization o Use form post response mode instead of redirect for authorization
response (see [oauth-v2-form-post-response-mode]) response (see [oauth-v2-form-post-response-mode])
4.3.2. Access Token in Browser History 4.3.2. Access Token in Browser History
An access token may end up in the browser history if a a client or An access token may end up in the browser history if a client or just
just a web site, which already has a token, deliberately navigates to a web site, which already has a token, deliberately navigates to a
a page like "provider.com/get_user_profile?access_token=abcdef.". page like "provider.com/get_user_profile?access_token=abcdef.".
Actually [RFC6750] discourages this practice and asks to transfer Actually [RFC6750] discourages this practice and asks to transfer
tokens via a header, but in practice web sites often just pass access tokens via a header, but in practice web sites often just pass access
token in query parameters. token in query parameters.
In case of implicit grant, a URL like "client.example/ In case of implicit grant, a URL like "client.example/
redirection_endpoint#access_token=abcdef" may also end up in the redirection_endpoint#access_token=abcdef" may also end up in the
browser history as a result of a redirect from a provider's browser history as a result of a redirect from a provider's
authorization endpoint. authorization endpoint.
Proposed countermeasures: Proposed countermeasures:
skipping to change at page 18, line 27 skipping to change at page 19, line 41
client. As an example, the attacker wants to impersonate his client. As an example, the attacker wants to impersonate his
victim in a certain app or on a certain web site. victim in a certain app or on a certain web site.
o The code is bound to a particular confidential client and the o The code is bound to a particular confidential client and the
attacker is unable to obtain the required client credentials to attacker is unable to obtain the required client credentials to
redeem the code himself. redeem the code himself.
o The authorization or resource servers are limited to certain o The authorization or resource servers are limited to certain
networks that the attacker is unable to access directly. networks that the attacker is unable to access directly.
In the following attack description and discussion, we assume the
presence of a web or network attacker, but not of an attacker with
advanced capabilities (A3-A5).
4.5.1. Attack Description 4.5.1. Attack Description
The attack works as follows: The attack works as follows:
1. The attacker obtains an authorization code by performing any of 1. The attacker obtains an authorization code by performing any of
the attacks described above. the attacks described above.
2. It performs a regular OAuth authorization process with the 2. He performs a regular OAuth authorization process with the
legitimate client on his device. legitimate client on his device.
3. The attacker injects the stolen authorization code in the 3. The attacker injects the stolen authorization code in the
response of the authorization server to the legitimate client. response of the authorization server to the legitimate client.
4. The client sends the code to the authorization server's token 4. The client sends the code to the authorization server's token
endpoint, along with client id, client secret and actual endpoint, along with client id, client secret and actual
"redirect_uri". "redirect_uri".
5. The authorization server checks the client secret, whether the 5. The authorization server checks the client secret, whether the
skipping to change at page 19, line 12 skipping to change at page 20, line 31
other tokens to the client, so now the attacker is able to other tokens to the client, so now the attacker is able to
impersonate the legitimate user. impersonate the legitimate user.
4.5.2. Discussion 4.5.2. Discussion
Obviously, the check in step (5.) will fail if the code was issued to Obviously, the check in step (5.) will fail if the code was issued to
another client id, e.g., a client set up by the attacker. The check another client id, e.g., a client set up by the attacker. The check
will also fail if the authorization code was already redeemed by the will also fail if the authorization code was already redeemed by the
legitimate user and was one-time use only. legitimate user and was one-time use only.
An attempt to inject a code obtained via a malware pretending to be An attempt to inject a code obtained via a manipulated redirect URI
the legitimate client should also be detected, if the authorization should also be detected if the authorization server stored the
server stored the complete redirect URI used in the authorization complete redirect URI used in the authorization request and compares
request and compares it with the redirect_uri parameter. it with the "redirect_uri" parameter.
[RFC6749], Section 4.1.3, requires the AS to "... ensure that the [RFC6749], Section 4.1.3, requires the AS to "... ensure that the
"redirect_uri" parameter is present if the "redirect_uri" parameter "redirect_uri" parameter is present if the "redirect_uri" parameter
was included in the initial authorization request as described in was included in the initial authorization request as described in
Section 4.1.1, and if included ensure that their values are Section 4.1.1, and if included ensure that their values are
identical.". In the attack scenario described above, the legitimate identical.". In the attack scenario described above, the legitimate
client would use the correct redirect URI it always uses for client would use the correct redirect URI it always uses for
authorization requests. But this URI would not match the tampered authorization requests. But this URI would not match the tampered
redirect URI used by the attacker (otherwise, the redirect would not redirect URI used by the attacker (otherwise, the redirect would not
land at the attackers page). So the authorization server would land at the attackers page). So the authorization server would
skipping to change at page 21, line 20 skipping to change at page 22, line 39
promising as a secure and convenient mechanism (due to its browser promising as a secure and convenient mechanism (due to its browser
integration). As a challenge, it requires broad browser support integration). As a challenge, it requires broad browser support
and use with native apps is still under discussion. and use with native apps is still under discussion.
o *Per-instance client id/secret*: One could use per instance o *Per-instance client id/secret*: One could use per instance
"client_id" and secrets and bind the code to the respective "client_id" and secrets and bind the code to the respective
"client_id". Unfortunately, this does not fit into the web "client_id". Unfortunately, this does not fit into the web
application programming model (would need to use per-user client application programming model (would need to use per-user client
IDs). IDs).
PKCE seems to be the most obvious solution for OAuth clients as it PKCE seems to be the most obvious solution for OAuth clients as it is
available and effectively used today for similar purposes for OAuth available and effectively used today for similar purposes for OAuth
native apps whereas "nonce" is appropriate for OpenId Connect native apps whereas "nonce" is appropriate for OpenId Connect
clients. clients.
Note on pre-warmed secrets: An attacker can circumvent the Note on pre-warmed secrets: An attacker can circumvent the
countermeasures described above if he is able to create or capture countermeasures described above if he is able to create or capture
the respective secret or code_challenge on a device under his the respective secret or code_challenge on a device under his
control, which is then used in the victim's authorization request. control, which is then used in the victim's authorization request.
Exact redirect URI matching of authorization requests can prevent the Exact redirect URI matching of authorization requests can prevent the
skipping to change at page 22, line 26 skipping to change at page 23, line 46
the countermeasures discussed in Section 4.5. the countermeasures discussed in Section 4.5.
4.7. Cross Site Request Forgery 4.7. Cross Site Request Forgery
An attacker might attempt to inject a request to the redirect URI of An attacker might attempt to inject a request to the redirect URI of
the legitimate client on the victim's device, e.g., to cause the the legitimate client on the victim's device, e.g., to cause the
client to access resources under the attacker's control. client to access resources under the attacker's control.
4.7.1. Proposed Countermeasures 4.7.1. Proposed Countermeasures
Standard CSRF defenses should be used to protect the redirection Use of CSRF tokens which are bound to the user agent and passed in
endpoint, for example: the "state" parameter to the authorization server as described in
[!@RFC6819]. Alternatively, PKCE provides CSRF protection.
o *CSRF Tokens*: Use of CSRF tokens which are bound to the user It is important to note that:
agent and passed in the "state" parameter to the authorization
server.
o *Origin Header*: The Origin header can be used to detect and o Clients MUST ensure that the AS supports PKCE before using PKCE
prevent CSRF attacks. Since this feature, at the time of writing, for CSRF protection. If an authorization server does not support
is not consistently supported by all browsers, CSRF tokens should PKCE, "state" MUST be used for CSRF protection.
be used in addition to Origin header checking.
o If "state" is used for carrying application state, and integrity
of its contents is a concern, clients MUST protect state against
tampering and swapping. This can be achieved by binding the
contents of state to the browser session and/or signed/encrypted
state values [I-D.bradley-oauth-jwt-encoded-state].
The recommendation therefore is that AS publish their PKCE support
either in AS metadata according to [RFC8418] or provide a deployment-
specific way to ensure or determine PKCE support.
Additionally, standard CSRF defenses MAY be used to protect the
redirection endpoint, for example the Origin header.
For more details see [owasp_csrf]. For more details see [owasp_csrf].
4.8. Access Token Leakage at the Resource Server 4.8. Access Token Leakage at the Resource Server
Access tokens can leak from a resource server under certain Access tokens can leak from a resource server under certain
circumstances. circumstances.
4.8.1. Access Token Phishing by Counterfeit Resource Server 4.8.1. Access Token Phishing by Counterfeit Resource Server
skipping to change at page 25, line 4 skipping to change at page 26, line 27
utilizes key material (or data derived from the key material) utilizes key material (or data derived from the key material)
known to the client. known to the client.
2. This key material must be distributed somehow. Either the key 2. This key material must be distributed somehow. Either the key
material already exists before the AS creates the binding or the material already exists before the AS creates the binding or the
AS creates ephemeral keys. The way pre-existing key material is AS creates ephemeral keys. The way pre-existing key material is
distributed varies among the different approaches. For example, distributed varies among the different approaches. For example,
X.509 Certificates can be used in which case the distribution X.509 Certificates can be used in which case the distribution
happens explicitly during the enrollment process. Or the key happens explicitly during the enrollment process. Or the key
material is created and distributed at the TLS layer, in which material is created and distributed at the TLS layer, in which
case it might automatically happens during the setup of a TLS case it might automatically happen during the setup of a TLS
connection. connection.
3. The RS must implement the actual proof of possession check. This 3. The RS must implement the actual proof of possession check. This
is typically done on the application level, it may utilize is typically done on the application level, it may utilize
capabilities of the transport layer (e.g., TLS). Note: replay capabilities of the transport layer (e.g., TLS). Note: replay
prevention is required as well! prevention is required as well!
There exists several proposals to demonstrate the proof of possession There exist several proposals to demonstrate the proof of possession
in the scope of the OAuth working group: in the scope of the OAuth working group:
o *OAuth Token Binding* ([I-D.ietf-oauth-token-binding]): In this o *OAuth Token Binding* ([I-D.ietf-oauth-token-binding]): In this
approach, an access token is, via the so-called token binding id, approach, an access token is, via the so-called token binding id,
bound to key material representing a long term association between bound to key material representing a long term association between
a client and a certain TLS host. Negotiation of the key material a client and a certain TLS host. Negotiation of the key material
and proof of possession in the context of a TLS handshake is taken and proof of possession in the context of a TLS handshake is taken
care of by the TLS stack. The client needs to determine the token care of by the TLS stack. The client needs to determine the token
binding id of the target resource server and pass this data to the binding id of the target resource server and pass this data to the
access token request. The authorization server than associates access token request. The authorization server then associates
the access token with this id. The resource server checks on the access token with this id. The resource server checks on
every invocation that the token binding id of the active TLS every invocation that the token binding id of the active TLS
connection and the token binding id of associated with the access connection and the token binding id of associated with the access
token match. Since all crypto-related functions are covered by token match. Since all crypto-related functions are covered by
the TLS stack, this approach is very client developer friendly. the TLS stack, this approach is very client developer friendly.
As a prerequisite, token binding as described in [RFC8473] As a prerequisite, token binding as described in [RFC8473]
(including federated token bindings) must be supported on all ends (including federated token bindings) must be supported on all ends
(client, authorization server, resource server). (client, authorization server, resource server).
o *OAuth Mutual TLS* ([I-D.ietf-oauth-mtls]): The approach as o *OAuth Mutual TLS* ([I-D.ietf-oauth-mtls]): The approach as
skipping to change at page 27, line 9 skipping to change at page 28, line 33
4.8.1.3. Audience Restricted Access Tokens 4.8.1.3. Audience Restricted Access Tokens
An audience restriction essentially restricts the resource server a An audience restriction essentially restricts the resource server a
particular access token can be used at. The authorization server particular access token can be used at. The authorization server
associates the access token with a certain resource server and every associates the access token with a certain resource server and every
resource server is obliged to verify for every request, whether the resource server is obliged to verify for every request, whether the
access token sent with that request was meant to be used at the access token sent with that request was meant to be used at the
particular resource server. If not, the resource server must refuse particular resource server. If not, the resource server must refuse
to serve the respective request. In the general case, audience to serve the respective request. In the general case, audience
restrictions limit the impact of a token leakage. In the case of a restrictions limit the impact of a token leakage. In the case of a
counterfeit resource server, it may (as described see below) also counterfeit resource server, it may (as described below) also prevent
prevent abuse of the phished access token at the legitimate resource abuse of the phished access token at the legitimate resource server.
server.
The audience can basically be expressed using logical names or The audience can basically be expressed using logical names or
physical addresses (like URLs). In order to prevent phishing, it is physical addresses (like URLs). In order to prevent phishing, it is
necessary to use the actual URL the client will send requests to. In necessary to use the actual URL the client will send requests to. In
the phishing case, this URL will point to the counterfeit resource the phishing case, this URL will point to the counterfeit resource
server. If the attacker tries to use the access token at the server. If the attacker tries to use the access token at the
legitimate resource server (which has a different URL), the resource legitimate resource server (which has a different URL), the resource
server will detect the mismatch (wrong audience) and refuse to serve server will detect the mismatch (wrong audience) and refuse to serve
the request. the request.
skipping to change at page 30, line 27 skipping to change at page 32, line 8
AS which redirect a request that potentially contains user AS which redirect a request that potentially contains user
credentials therefore MUST NOT use the HTTP 307 status code for credentials therefore MUST NOT use the HTTP 307 status code for
redirection. If an HTTP redirection (and not, for example, redirection. If an HTTP redirection (and not, for example,
JavaScript) is used for such a request, AS SHOULD use HTTP status JavaScript) is used for such a request, AS SHOULD use HTTP status
code 303 "See Other". code 303 "See Other".
4.11. TLS Terminating Reverse Proxies 4.11. TLS Terminating Reverse Proxies
A common deployment architecture for HTTP applications is to have the A common deployment architecture for HTTP applications is to have the
application server sitting behind a reverse proxy, which terminates application server sitting behind a reverse proxy which terminates
the TLS connection and dispatches the incoming requests to the the TLS connection and dispatches the incoming requests to the
respective application server nodes. respective application server nodes.
This section highlights some attack angles of this deployment This section highlights some attack angles of this deployment
architecture, which are relevant to OAuth, and give recommendations architecture which are relevant to OAuth, and gives recommendations
for security controls. for security controls.
In some situations, the reverse proxy needs to pass security-related In some situations, the reverse proxy needs to pass security-related
data to the upstream application servers for further processing. data to the upstream application servers for further processing.
Examples include the IP address of the request originator, token Examples include the IP address of the request originator, token
binding ids and authenticated TLS client certificates. binding ids, and authenticated TLS client certificates.
If the reverse proxy would pass through any header sent from the If the reverse proxy would pass through any header sent from the
outside, an attacker could try to directly send the faked header outside, an attacker could try to directly send the faked header
values through the proxy to the application server in order to values through the proxy to the application server in order to
circumvent security controls that way. For example, it is standard circumvent security controls that way. For example, it is standard
practice of reverse proxies to accept "forwarded_for" headers and practice of reverse proxies to accept "forwarded_for" headers and
just add the origin of the inbound request (making it a list). just add the origin of the inbound request (making it a list).
Depending on the logic performed in the application server, the Depending on the logic performed in the application server, the
attacker could simply add a whitelisted IP address to the header and attacker could simply add a whitelisted IP address to the header and
render a IP whitelist useless. A reverse proxy must therefore render a IP whitelist useless. A reverse proxy must therefore
sanitize any inbound requests to ensure the authenticity and sanitize any inbound requests to ensure the authenticity and
integrity of all header values relevant for the security of the integrity of all header values relevant for the security of the
application servers. application servers.
If an attacker would be able to get access to the internal network If an attacker was able to get access to the internal network between
between proxy and application server, it could also try to circumvent proxy and application server, he could also try to circumvent
security controls in place. It is therefore important to ensure the security controls in place. It is therefore important to ensure the
authenticity of the communicating entities. Furthermore, the authenticity of the communicating entities. Furthermore, the
communication link between reverse proxy and application server must communication link between reverse proxy and application server must
therefore be protected against tapping and injection (including therefore be protected against eavesdropping, injection, and replay
replay prevention). of messages.
4.12. Refresh Token Protection 4.12. Refresh Token Protection
Refresh tokens are a convenient and UX-friendly way to obtain new Refresh tokens are a convenient and UX-friendly way to obtain new
access tokens after the expiration of older access tokens. Refresh access tokens after the expiration of older access tokens. Refresh
tokens also add to the security of OAuth since they allow the tokens also add to the security of OAuth since they allow the
authorization server to issue access tokens with a short lifetime and authorization server to issue access tokens with a short lifetime and
reduced scope thus reducing the potential impact of access token reduced scope thus reducing the potential impact of access token
leakage. leakage.
skipping to change at page 33, line 7 skipping to change at page 34, line 36
o logout at the authorization server o logout at the authorization server
Refresh tokens SHOULD expire if the client has been inactive for some Refresh tokens SHOULD expire if the client has been inactive for some
time, i.e., the refresh token has not been used to obtain fresh time, i.e., the refresh token has not been used to obtain fresh
access tokens for some time. The expiration time is at the access tokens for some time. The expiration time is at the
discretion of the authorization server. It might be a global value discretion of the authorization server. It might be a global value
or determined based on the client policy or the grant associated with or determined based on the client policy or the grant associated with
the refresh token (and its sensitivity). the refresh token (and its sensitivity).
4.13. Client Impersonating Resource Owner
Resource servers may make access control decisions based on the
identity of the resource owner as communicated in the "sub" claim
returned by the authorization server in a token introspection
response [RFC7662] or other mechanism. If a client is able to choose
its own "client_id" during registration with the authorization
server, then there is a risk that it can register with the same "sub"
value as a privileged user. A subsequent access token obtained under
the client credentials grant may be mistaken as an access token
authorized by the privileged user if the resource server does not
perform additional checks.
4.13.1. Proposed Countermeasures
Authorization servers SHOULD NOT allow clients to influence their
"client_id" or "sub" value or any other claim that might cause
confusion with a genuine resource owner. Where this cannot be
avoided, authorization servers MUST provide another means for the
resource server to distinguish between access tokens authorized by a
resource owner from access tokens authorized by the client itself.
5. Acknowledgements 5. Acknowledgements
We would like to thank Jim Manico, Phil Hunt, Nat Sakimura, Christian We would like to thank Jim Manico, Phil Hunt, Nat Sakimura, Christian
Mainka, Doug McDorman, Johan Peeters, Joseph Heenan, Brock Allen, Mainka, Doug McDorman, Johan Peeters, Joseph Heenan, Brock Allen,
Vittorio Bertocci, David Waite, Nov Matake, Tomek Stojecki, Dominick Vittorio Bertocci, David Waite, Nov Matake, Tomek Stojecki, Dominick
Baier, Neil Madden, William Dennis, Dick Hardt, Petteri Stenius, Baier, Neil Madden, William Dennis, Dick Hardt, Petteri Stenius,
Annabelle Richard Backman, Aaron Parecki, George Fletscher, and Brian Annabelle Richard Backman, Aaron Parecki, George Fletscher, Brian
Campbell for their valuable feedback. Campbell, Konstantin Lapine, and Tim Wuertele for their valuable
feedback.
6. IANA Considerations 6. IANA Considerations
This draft includes no request to IANA. This draft includes no request to IANA.
7. Security Considerations 7. Security Considerations
All relevant security considerations have been given in the All relevant security considerations have been given in the
functional specification. functional specification.
skipping to change at page 34, line 15 skipping to change at page 36, line 24
[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
DOI 10.17487/RFC6819, January 2013, DOI 10.17487/RFC6819, January 2013,
<https://www.rfc-editor.org/info/rfc6819>. <https://www.rfc-editor.org/info/rfc6819>.
[RFC7636] Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key [RFC7636] Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key
for Code Exchange by OAuth Public Clients", RFC 7636, for Code Exchange by OAuth Public Clients", RFC 7636,
DOI 10.17487/RFC7636, September 2015, DOI 10.17487/RFC7636, September 2015,
<https://www.rfc-editor.org/info/rfc7636>. <https://www.rfc-editor.org/info/rfc7636>.
[RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection",
RFC 7662, DOI 10.17487/RFC7662, October 2015,
<https://www.rfc-editor.org/info/rfc7662>.
[RFC8418] Housley, R., "Use of the Elliptic Curve Diffie-Hellman Key
Agreement Algorithm with X25519 and X448 in the
Cryptographic Message Syntax (CMS)", RFC 8418,
DOI 10.17487/RFC8418, August 2018,
<https://www.rfc-editor.org/info/rfc8418>.
8.2. Informative References 8.2. Informative References
[arXiv.1508.04324v2] [arXiv.1508.04324v2]
Mladenov, V., Mainka, C., and J. Schwenk, "On the security Mladenov, V., Mainka, C., and J. Schwenk, "On the security
of modern Single Sign-On Protocols: Second-Order of modern Single Sign-On Protocols: Second-Order
Vulnerabilities in OpenID Connect", January 2016, Vulnerabilities in OpenID Connect", January 2016,
<http://arxiv.org/abs/1508.04324v2/>. <http://arxiv.org/abs/1508.04324v2/>.
[arXiv.1601.01229] [arXiv.1601.01229]
Fett, D., Kuesters, R., and G. Schmitz, "A Comprehensive Fett, D., Kuesters, R., and G. Schmitz, "A Comprehensive
Formal Security Analysis of OAuth 2.0", January 2016, Formal Security Analysis of OAuth 2.0", January 2016,
<http://arxiv.org/abs/1601.01229/>. <http://arxiv.org/abs/1601.01229/>.
[arXiv.1704.08539] [arXiv.1704.08539]
Fett, D., Kuesters, R., and G. Schmitz, "The Web SSO Fett, D., Kuesters, R., and G. Schmitz, "The Web SSO
Standard OpenID Connect: In-Depth Formal Security Analysis Standard OpenID Connect: In-Depth Formal Security Analysis
and Security Guidelines", April 2017, and Security Guidelines", April 2017,
<http://arxiv.org/abs/1704.08539/>. <http://arxiv.org/abs/1704.08539/>.
[arXiv.1901.11520]
Fett, D., Hosseyni, P., and R. Kuesters, "An Extensive
Formal Security Analysis of the OpenID Financial-grade
API", January 2019, <http://arxiv.org/abs/1901.11520/>.
[bug.chromium] [bug.chromium]
"Referer header includes URL fragment when opening link "Referer header includes URL fragment when opening link
using New Tab", using New Tab",
<https://bugs.chromium.org/p/chromium/issues/ <https://bugs.chromium.org/p/chromium/issues/
detail?id=168213/>. detail?id=168213/>.
[fb_fragments] [fb_fragments]
"Facebook Developer Blog", "Facebook Developer Blog",
<https://developers.facebook.com/blog/post/552/>. <https://developers.facebook.com/blog/post/552/>.
skipping to change at page 35, line 14 skipping to change at page 37, line 35
[I-D.ietf-oauth-closing-redirectors] [I-D.ietf-oauth-closing-redirectors]
Bradley, J., Sanso, A., and H. Tschofenig, "OAuth 2.0 Bradley, J., Sanso, A., and H. Tschofenig, "OAuth 2.0
Security: Closing Open Redirectors in OAuth", draft-ietf- Security: Closing Open Redirectors in OAuth", draft-ietf-
oauth-closing-redirectors-00 (work in progress), February oauth-closing-redirectors-00 (work in progress), February
2016. 2016.
[I-D.ietf-oauth-jwsreq] [I-D.ietf-oauth-jwsreq]
Sakimura, N. and J. Bradley, "The OAuth 2.0 Authorization Sakimura, N. and J. Bradley, "The OAuth 2.0 Authorization
Framework: JWT Secured Authorization Request (JAR)", Framework: JWT Secured Authorization Request (JAR)",
draft-ietf-oauth-jwsreq-17 (work in progress), October draft-ietf-oauth-jwsreq-19 (work in progress), June 2019.
2018.
[I-D.ietf-oauth-mix-up-mitigation] [I-D.ietf-oauth-mix-up-mitigation]
Jones, M., Bradley, J., and N. Sakimura, "OAuth 2.0 Mix-Up Jones, M., Bradley, J., and N. Sakimura, "OAuth 2.0 Mix-Up
Mitigation", draft-ietf-oauth-mix-up-mitigation-01 (work Mitigation", draft-ietf-oauth-mix-up-mitigation-01 (work
in progress), July 2016. in progress), July 2016.
[I-D.ietf-oauth-mtls] [I-D.ietf-oauth-mtls]
Campbell, B., Bradley, J., Sakimura, N., and T. Campbell, B., Bradley, J., Sakimura, N., and T.
Lodderstedt, "OAuth 2.0 Mutual TLS Client Authentication Lodderstedt, "OAuth 2.0 Mutual TLS Client Authentication
and Certificate-Bound Access Tokens", draft-ietf-oauth- and Certificate-Bound Access Tokens", draft-ietf-oauth-
mtls-13 (work in progress), February 2019. mtls-15 (work in progress), July 2019.
[I-D.ietf-oauth-pop-key-distribution] [I-D.ietf-oauth-pop-key-distribution]
Bradley, J., Hunt, P., Jones, M., Tschofenig, H., and M. Bradley, J., Hunt, P., Jones, M., Tschofenig, H., and M.
Mihaly, "OAuth 2.0 Proof-of-Possession: Authorization Meszaros, "OAuth 2.0 Proof-of-Possession: Authorization
Server to Client Key Distribution", draft-ietf-oauth-pop- Server to Client Key Distribution", draft-ietf-oauth-pop-
key-distribution-04 (work in progress), October 2018. key-distribution-07 (work in progress), March 2019.
[I-D.ietf-oauth-resource-indicators] [I-D.ietf-oauth-resource-indicators]
Campbell, B., Bradley, J., and H. Tschofenig, "Resource Campbell, B., Bradley, J., and H. Tschofenig, "Resource
Indicators for OAuth 2.0", draft-ietf-oauth-resource- Indicators for OAuth 2.0", draft-ietf-oauth-resource-
indicators-02 (work in progress), January 2019. indicators-02 (work in progress), January 2019.
[I-D.ietf-oauth-signed-http-request] [I-D.ietf-oauth-signed-http-request]
Richer, J., Bradley, J., and H. Tschofenig, "A Method for Richer, J., Bradley, J., and H. Tschofenig, "A Method for
Signing HTTP Requests for OAuth", draft-ietf-oauth-signed- Signing HTTP Requests for OAuth", draft-ietf-oauth-signed-
http-request-03 (work in progress), August 2016. http-request-03 (work in progress), August 2016.
skipping to change at page 37, line 23 skipping to change at page 39, line 42
<https://www.rfc-editor.org/info/rfc8473>. <https://www.rfc-editor.org/info/rfc8473>.
[webappsec-referrer-policy] [webappsec-referrer-policy]
Eisinger, J. and E. Stark, "Referrer Policy", April 2017, Eisinger, J. and E. Stark, "Referrer Policy", April 2017,
<https://w3c.github.io/webappsec-referrer-policy>. <https://w3c.github.io/webappsec-referrer-policy>.
Appendix A. Document History Appendix A. Document History
[[ To be removed from the final specification ]] [[ To be removed from the final specification ]]
-13
o Discourage use of Resource Owner Password Credentials Grant
o Added text on client impersonating resource owner
o Recommend asymmetric methods for client authentication
o Encourage use of PKCE mode "S256"
o PKCE may replace state for CSRF protection
o AS SHOULD publish PKCE support
o Cleaned up discussion on auth code injection
o AS MUST support PKCE
-12 -12
o Added updated attacker model o Added updated attacker model
-11 -11
o Adapted section 2.1.2 to outcome of consensus call o Adapted section 2.1.2 to outcome of consensus call
o more text on refresh token inactivity and implementation note on o more text on refresh token inactivity and implementation note on
refresh token replay detection via refresh token rotation refresh token replay detection via refresh token rotation
 End of changes. 54 change blocks. 
123 lines changed or deleted 250 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/