TOC |
|
This specification defines an extension to The OAuth 2.0 Authorization Framework that enables an authorization server to provide a client using it with a consistent set of metadata about itself. This information is returned in the authorization response. It can be used by the client to prevent classes of attacks in which the client might otherwise be tricked into using inconsistent sets of metadata from multiple authorization servers, including potentially using a token endpoint that does not belong to the same authorization server as the authorization endpoint used. Recent research publications refer to these as "IdP Mix-Up" and "Malicious Endpoint" attacks.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
This Internet-Draft will expire on July 13, 2016.
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
1.
Introduction
1.1.
Requirements Notation and Conventions
1.2.
Terminology
2.
The OAuth Issuer
3.
Methods of Returning Mitigation Data
3.1.
Mitigation Data Returned in JWT
3.2.
Mitigation Data Returned in Authorization Response Parameters
4.
Validating the Response
5.
JWT Contents
6.
JWT Validation
7.
Compatibility Notes
8.
Security Considerations
8.1.
IdP Mix-Up and Malicious Endpoint Attacks
8.2.
Cut-and-Paste Attacks
8.3.
Duplicate Information Attacks
9.
IANA Considerations
9.1.
OAuth Parameters Registration
9.1.1.
Registry Contents
10.
References
10.1.
Normative References
10.2.
Informative References
Appendix A.
Acknowledgements
Appendix B.
Open Issues
Appendix C.
Document History
§
Author's Address
TOC |
OAuth 2.0 [RFC6749] (Hardt, D., Ed., “The OAuth 2.0 Authorization Framework,” October 2012.) clients use multiple authorization server endpoints when using some response types. For instance, when using the code response type, a client uses both the authorization endpoint and the token endpoint. It is important that endpoints belonging to the same authorization server always be used together. Otherwise, information produced by one authorization server could mistakenly be sent by the client to different authorization server, resulting in attacks described in Section 8 (Security Considerations). Recent research publications refer to these as "IdP Mix-Up" [arXiv.1601.01229v2] (Fett, D., Kuesters, R., and G. Schmitz, “A Comprehensive Formal Security Analysis of OAuth 2.0,” January 2016.) and "Malicious Endpoint" [arXiv.1508.04324v2] (Mladenov, V., Mainka, C., and J. Schwenk, “On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect,” January 2016.) attacks.
The client obviously cannot be confused into using endpoints from multiple authorization servers in an authorization flow if the client is configured to use only a single authorization server. However, the client can potentially be tricked into mixing endpoints if it is configured to use more than one authorization server, whether the configuration is dynamic or static. The client may be confused if it has no way to determine whether the set of endpoints belongs to the same authorization server. Or, a client may be confused simply because it is receiving authorization responses from more than one authorization server at the same redirection endpoint and the client is insufficiently able to determine that the response received is associated with the correct authorization server.
This specification provides a means for the authorization server to provide information to the client that enables it to verify that all endpoints being used belong to the same authorization server, and to abort interactions in which endpoints from multiple authorization servers would otherwise be used.
The mitigation data provided is an issuer URL, which is used to obtain a consistent set of metadata describing the authorization server configuration, and a client ID, which is used to verify that the response is from the correct authorization server and is intended for this client. Both the issuer URL and the discovery metadata are defined in Section 3 of [OAuth.Discovery] (Jones, M., Sakimura, N., and J. Bradley, “OAuth 2.0 Discovery,” November 2015.). Means of returning the mitigation data from the authorization server and of the client using the mitigation data to validate the OAuth interaction are defined by this specification.
TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [RFC2119].
TOC |
This specification uses the terms "Access Token", "Authorization Code", "Authorization Endpoint", "Authorization Grant", "Authorization Server", "Client", "Client Authentication", "Client Identifier", "Client Secret", "Grant Type", "Protected Resource", "Redirection URI", "Refresh Token", "Resource Owner", "Resource Server", "Response Type", and "Token Endpoint" defined by OAuth 2.0 (Hardt, D., Ed., “The OAuth 2.0 Authorization Framework,” October 2012.) [RFC6749], the terms "Claim Name", "Claim Value", and "JSON Web Token (JWT)" defined by JSON Web Token (JWT) (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Token (JWT),” May 2015.) [JWT].
TOC |
As defined in [OAuth.Discovery] (Jones, M., Sakimura, N., and J. Bradley, “OAuth 2.0 Discovery,” November 2015.), the OAuth issuer is the URL of the authorization server's configuration information location, which uses the https scheme and has no query or fragment components. Also as specified there, when discovery is supported, the authorization server's metadata is retrieved as a JSON document [RFC7159] (Bray, T., Ed., “The JavaScript Object Notation (JSON) Data Interchange Format,” March 2014.) from the path formed by concatenating the string /.well-known/openid-configuration to the configuration information location. An authorization server supporting this specification MUST supply a metadata document at this location. This metadata document contains a consistent set of metadata describing the authorization server configuration. As described in Section 7 (Compatibility Notes), despite the identifier /.well-known/openid-configuration, appearing to be OpenID-specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect [OpenID.Core] (Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, “OpenID Connect Core 1.0,” November 2014.).
TOC |
Mitigating the attacks relies on the authorization server returning additional data about the interaction and the client checking that data. The mitigation data returned is the client ID and the issuer URL. There are two ways that this data can be returned in the authorization response: as claims in a JWT [JWT] (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Token (JWT),” May 2015.) signed by the authorization server or as additional authorization response parameters. These alternatives are discussed below.
TOC |
One method of returning the mitigation data is as claims in a JWT [JWT] (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Token (JWT),” May 2015.) signed by the authorization server. The issuer is returned as the iss (issuer) claim value. The client ID is returned as an aud (audience) claim value. The JWT is signed using a key contained in the authorization server's JWK Set [JWK] (Jones, M., “JSON Web Key (JWK),” May 2015.) document, which is referenced using the authorization server's jwks_uri metadata value. The JWT is returned using the id_token response parameter registered in the IANA "OAuth Parameters" registry [IANA.OAuth.Parameters] (IANA, “OAuth Parameters,” .) by OpenID Connect [OpenID.Core] (Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, “OpenID Connect Core 1.0,” November 2014.). The required claims in this JWT are described in Section 5 (JWT Contents). Section 6 (JWT Validation) describes how to validate the contents of the JWT.
The advantage of this method is that the mitigation data values are cryptographically tied to the authorization server by the JWT signature, preventing "cut-and-paste" attacks, which are described in Section 8.2 (Cut-and-Paste Attacks). However, this does require both the authorization server and the client to support JWTs and their underlying cryptographic functions, which may not be workable in all deployments.
Note that like its usage in OpenID Connect, this JWT identifies the authorization server using the iss (issuer) claim and the client using the aud (audience) claim. However, while returning these values in this manner is intentionally compatible with OpenID Connect, and specifically, OpenID Connect ID Tokens, OpenID Connect adds additional required claims to the JWT so that it also identifies a subject. These additional claims are not required for the use defined by this specification. The good news is that for OAuth implementations that also implement OpenID Connect, this JWT is already being returned as the ID Token for flows that return an ID Token in the authorization response.
TOC |
Another method of returning the mitigation data is as additional OAuth response parameters. These new response parameters are defined for this purpose:
- client_id
- Client that this response is intended for. It MUST contain the OAuth 2.0 client ID of the client as its value.
- iss
- Issuer URL for the authorization server issuing the response. The iss value is a case-sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
The advantage of this method is that it requires no JWT or cryptographic support from the participants. The disadvantage of this method is that it is subject to "cut-and-paste" attacks, which are described in Section 8.2 (Cut-and-Paste Attacks). This method is to be used only if returning the mitigation data in a signed JWT is not feasible.
TOC |
Upon receiving the mitigation data in an authorization response, the client MUST validate that the response was intended for it and that the authorization server configuration information that it obtained at client registration time is consistent with the authorization server configuration information contained in the metadata referenced by the issuer URL.
The client MUST validate the authorization server configuration as follows:
Note that if the issuer URLs in step 2 do not match, this could either be because an attacker is attempting to confuse the client into using the wrong endpoints or because the authorization server is multi-tenant and the issuer URL refers to tenant-specific authorization server information. In either case, in the event of a mismatch, the client should use the authorization server metadata values retrieved using the issuer URL rather than the values obtained at registration time to ensure that endpoints from multiple authorization servers aren't being used in the same interaction.
TOC |
When the mitigation data is returned in a JWT, as described in Section 3.1 (Mitigation Data Returned in JWT), the JWT includes the following claims:
- iss
- REQUIRED. Issuer URL for the authorization server issuing the response. The iss value is a case-sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
- aud
- REQUIRED. Audience(s) that this response is intended for. It MUST contain the OAuth 2.0 client ID of the client as an audience value. It MAY also contain identifiers for other audiences.
- at_hash
- Access token hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the JWT's JOSE Header. For instance, if the alg is RS256, hash the access_token value with SHA-256, then take the left-most 128 bits and base64url-encode them. The at_hash value is a case-sensitive string.
If the JWT is issued from the authorization endpoint with an access_token value, which is the case for the response_type value token, this is REQUIRED; otherwise, it should not be included.- c_hash
- Code hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the code value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the JWT's JOSE Header. For instance, if the alg is HS512, hash the code value with SHA-512, then take the left-most 256 bits and base64url-encode them. The c_hash value is a case-sensitive string.
If the JWT is issued from the authorization endpoint with a code value, which is the case for the response_type value code, this is REQUIRED; otherwise, it should not be included.
The JWT MAY contain other claims. Any claims used that are not understood MUST be ignored.
The JWT MUST be signed and optionally both signed and then encrypted, thereby providing authentication, integrity, non-repudiation, and optionally, confidentiality. If the JWT is encrypted, it MUST be signed then encrypted, with the result being a Nested JWT, as defined in [JWT] (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Token (JWT),” May 2015.). The JWT MUST NOT use none [JWA] (Jones, M., “JSON Web Algorithms (JWA),” May 2015.) as the alg value.
The JWT SHOULD NOT use the JWS [JWS] (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Signature (JWS),” May 2015.) or JWE [JWE] (Jones, M. and J. Hildebrand, “JSON Web Encryption (JWE),” May 2015.) x5u, x5c, jku, or jwk Header Parameter fields. Instead, references to keys used are communicated using the OAuth Discovery [OAuth.Discovery] (Jones, M., Sakimura, N., and J. Bradley, “OAuth 2.0 Discovery,” November 2015.) jwks_uri metadata value.
The following is a non-normative example of the set of claims (the JWT Claims Set) in the JWT:
{ "iss": "https://server.example.com", "aud": "s6BhdRkqt3", "c_hash": "LDktKdoQak3Pk0cnXxCltA" }
TOC |
When the issuer URL is returned in a JWT, as described in Section 3.1 (Mitigation Data Returned in JWT), the client MUST perform the following validation steps:
TOC |
The identifiers /.well-known/openid-configuration and id_token contain strings referring to the OpenID Connect family of specifications that were originally defined by "OpenID Connect Core 1.0" (Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, “OpenID Connect Core 1.0,” November 2014.) [OpenID.Core] and "OpenID Connect Discovery 1.0" (Sakimura, N., Bradley, J., Jones, M., and E. Jay, “OpenID Connect Discovery 1.0,” November 2014.) [OpenID.Discovery]. Despite the reuse of these identifiers that appear to be OpenID-specific, their usage in this specification is actually referring to general OAuth 2.0 features that are not specific to OpenID Connect.
By design, OpenID Connect ID Tokens are compatible with the JWTs defined by this specification that are returned from the authorization server containing the mitigation data. OpenID Connect already returns a JWT compatible with the one specified in Section 3.1 (Mitigation Data Returned in JWT) when using the response type [OAuth.Responses] (de Medeiros, B., Ed., Scurtescu, M., Tarjan, P., and M. Jones, “OAuth 2.0 Multiple Response Type Encoding Practices,” February 2014.) values id_token, code id_token, id_token token, or code id_token token.
TOC |
TOC |
The attacks mitigated by this extension are described in detail in "A Comprehensive Formal Security Analysis of OAuth 2.0" [arXiv.1601.01229v2] (Fett, D., Kuesters, R., and G. Schmitz, “A Comprehensive Formal Security Analysis of OAuth 2.0,” January 2016.) and "On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect" [arXiv.1508.04324v2] (Mladenov, V., Mainka, C., and J. Schwenk, “On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect,” January 2016.). To mitigate these attacks, clients configured to use more than one authorization server should use authorization servers that return issuer and client ID information and should validate that a consistent set of authorization server endpoints are being used when using response types that utilize multiple endpoints.
TOC |
OAuth authorization responses are sent as redirects to redirection URIs, with the response parameters typically passed as URI query parameters or fragment values. A "cut-and-paste" attack is performed by the attacker creating what appears to be a legitimate authorization response, but that substitutes some of the response parameter values with values of the attacker's choosing. Sometimes this is done by copying or "cutting" some values out of a legitimate response and replacing or "pasting" some of these values into a different response, the original version of which may have also been legitimate, creating a combination of response values that are not legitimate and that may cause behaviors sought by the attacker. The Code Substitution threat described in Section 4.4.1.13 of [RFC6819] (Lodderstedt, T., Ed., McGloin, M., and P. Hunt, “OAuth 2.0 Threat Model and Security Considerations,” January 2013.) is one example of the use of a cut-and-paste attack.
Cut-and-paste attacks can be detected and prevented if the values of the parameters are cryptographically bound together because modifications to the values caused by the "pasting" can then be detected. For example, the c_hash and at_hash claims described in Section 5 (JWT Contents) respectively enable detection of attempts to substitute different authorization code and access token values into an authorization response.
A concern with returning the mitigation information as new individual authorization response parameters whose values are not cryptographically bound together is that cut-and-paste attacks against their values will not be detected. A security analysis has not been done of the effects of the new attacks that the use of cut-and-paste against these new values will enable. Until such an analysis has been done and unless it reaches the conclusion that no bad effects can result, it would seem significantly safer to use the signed JWT method, since it is immune to this attack.
TOC |
If a protocol is defined to return the same information in multiple locations, this can create an additional attack surface. Knowing that the information is supposed to be the same, recipients will often be lazy and use the information from only one of the locations, not validating that all the supposedly duplicate instances are the same. This can enable attackers to create illegal protocol messages that have different values in the multiple locations and those illegal messages will not be detected or rejected by these lazy recipients.
For this reason, if an OAuth profile is being used that returns the mitigation information defined by this specification in one location, it SHOULD NOT also be returned in another. In particular, if a JWT containing the client ID and issuer values is being returned in the authorization response, they SHOULD NOT also be returned as individual authorization response parameters.
TOC |
TOC |
This specification registers the following parameters in the IANA "OAuth Parameters" registry [IANA.OAuth.Parameters] (IANA, “OAuth Parameters,” .) established by RFC 6749 (Hardt, D., Ed., “The OAuth 2.0 Authorization Framework,” October 2012.) [RFC6749].
TOC |
TOC |
TOC |
[IANA.OAuth.Parameters] | IANA, “OAuth Parameters.” |
[JWA] | Jones, M., “JSON Web Algorithms (JWA),” RFC 7518, DOI 10.17487/RFC7518, May 2015. |
[JWE] | Jones, M. and J. Hildebrand, “JSON Web Encryption (JWE),” RFC 7516, DOI 10.17487/RFC7516, May 2015. |
[JWK] | Jones, M., “JSON Web Key (JWK),” RFC 7517, DOI 10.17487/RFC7517, May 2015. |
[JWS] | Jones, M., Bradley, J., and N. Sakimura, “JSON Web Signature (JWS),” RFC 7515, DOI 10.17487/RFC7515, May 2015. |
[JWT] | Jones, M., Bradley, J., and N. Sakimura, “JSON Web Token (JWT),” RFC 7519, DOI 10.17487/RFC7519, May 2015. |
[OAuth.Discovery] | Jones, M., Sakimura, N., and J. Bradley, “OAuth 2.0 Discovery,” draft-jones-oauth-discovery-00 (work in progress), November 2015. |
[OAuth.Responses] | de Medeiros, B., Ed., Scurtescu, M., Tarjan, P., and M. Jones, “OAuth 2.0 Multiple Response Type Encoding Practices,” February 2014. |
[RFC2119] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC3629] | Yergeau, F., “UTF-8, a transformation format of ISO 10646,” STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003. |
[RFC6749] | Hardt, D., Ed., “The OAuth 2.0 Authorization Framework,” RFC 6749, DOI 10.17487/RFC6749, October 2012. |
[RFC6819] | Lodderstedt, T., Ed., McGloin, M., and P. Hunt, “OAuth 2.0 Threat Model and Security Considerations,” RFC 6819, DOI 10.17487/RFC6819, January 2013. |
[RFC7159] | Bray, T., Ed., “The JavaScript Object Notation (JSON) Data Interchange Format,” RFC 7159, DOI 10.17487/RFC7159, March 2014. |
[RFC7662] | Richer, J., Ed., “OAuth 2.0 Token Introspection,” RFC 7662, DOI 10.17487/RFC7662, October 2015. |
TOC |
[OpenID.Core] | Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, “OpenID Connect Core 1.0,” November 2014. |
[OpenID.Discovery] | Sakimura, N., Bradley, J., Jones, M., and E. Jay, “OpenID Connect Discovery 1.0,” November 2014. |
[OpenID.Registration] | Sakimura, N., Bradley, J., and M. Jones, “OpenID Connect Dynamic Client Registration 1.0,” November 2014. |
[RFC7591] | Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and P. Hunt, “OAuth 2.0 Dynamic Client Registration Protocol,” RFC 7591, DOI 10.17487/RFC7591, July 2015. |
[arXiv.1508.04324v2] | Mladenov, V., Mainka, C., and J. Schwenk, “On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect,” arXiv 1508.04324v2, January 2016. |
[arXiv.1601.01229v2] | Fett, D., Kuesters, R., and G. Schmitz, “A Comprehensive Formal Security Analysis of OAuth 2.0,” arXiv 1601.01229v2, January 2016. |
TOC |
Alfred Albrecht, John Bradley, Brian Campbell, Joerg Connotte, William Denniss, Sebastian Ebling, Florian Feldmann, Daniel Fett, Roland Hedberg, Phil Hunt, Ralf Kuesters, Torsten Lodderstedt, Christian Mainka, Vladislav Mladenov, Anthony Nadalin, Justin Richer, Nat Sakimura, Antonio Sanso, Guido Schmitz, Joerg Schwenk, Hannes Tschofenig, and Hans Zandbelt all contributed to the discussions that led to the creation of this specification.
This specification is partially based on the OpenID Connect Core 1.0 specification, which was produced by the OpenID Connect working group of the OpenID Foundation.
TOC |
TOC |
[[ to be removed by the RFC Editor before publication as an RFC ]]
-00
TOC |
Michael B. Jones | |
Microsoft | |
Email: | mbj@microsoft.com |
URI: | http://self-issued.info/ |