SaferWeb: OAuth2.a or Let's Just ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë It

Eran and others, Î䵤¡¿´¨¤¬¤é¤»¤ë out. We should stop whining to nobody. I prefer rather "we gotta ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë this, this and discuss that" than "it is bad"-ÂÖÅÙ. Some people were surprised because they like OAuth2.

What about me? I was not surprised because OAuth2 is far from perfect. But there is no ¿äÏÀ¤¹¤ë¡¿Íýͳ to give up, it's in our ¼êÅϤ¹s. ( By the way I'm waiting for comments on Hacker News ¾µÇ§¤¹¤ë?)

Below I explain some °ÂÁ´ and usability ´Ø¿´s about ¸½ºß¤Î OAuth2 and Äó°Æ¤¹¤ë(I do, not just say 'it is bad') ²þÎÉs to make it more agile and °ÂÁ´¤Ê-by-default. OAuth2.a is going to be easier to ´ï¶ñ¡¿¼Â»Ü¤¹¤ë and more °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë.

TL;DR:

1. redirect_uri can be on any domain and ÎÌ of redirect_uri-s is À©¸Â¤Î¤Ê¤¤. They are whitelisted and only exact match Ω¾Ú is ŬÍѤ¹¤ëd(redirect_uri IS NOT ½ÀÆð¤Ê domain.com/*). ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í »Ï¤á¤ë¡¤·è¤á¤ës redirect_uri-s on his admin page in Provider.
2. for every redirect_uri MUST be defined ³Î¤«¤Ê response_type - µ­Ç°ÉÊ or code. It must not be possible to »Ï¤á¤ë¡¤·è¤á¤ë response_type in ¸¢¸Â¤òÍ¿¤¨¤ë URL. Every redirect_uri has its own defined response_type
3. Most ¤¢¤ê¤Õ¤ì¤¿ OAuth2 CSRF Vulnerability from my previous ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë. We should either introduce a new *compulsory* param(e.g. csrf_token) or just raise ǧ¼±¡¿°Õ¼±À­ about the ÌäÂ꡿ȯ¹Ô¤¹¤ë.
4. We need either ³ä¤êÅö¤Æ¤ë 'ÈÏ°Ï' to ³Î¤«¤Ê redirect_uri ƱÍÍ¤Ë as response_type(it MUST not be in URL) or µö¤¹ »ÈÍÑ¼Ô to choose what parts of ÈÏ°Ï to µö¤¹. It's up to Provider's ¼Â»Ü.
5. We should introduce '½¸¤Þ¤ê refreshing' of access_token-s. ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í sends an array of refresh_token-s and ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í's ¿®Ç¤¾õ and get's hash with refresh_token=>ÀÜ¶á µ­Ç°ÉÊ.
6. We need to define some DEFAULT URL paths and error codes to Äɲ乤ë a little bit more "interoperability". Really, is it so damn hard to keep your endpoints and error codes Îà»÷¤Î to other services?

Points and ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës:

1. Matching redirect_uri domain is futile! We SHOULD NOT have only 1 domain µö¤¹d.
°æ¸Í¡¿ÊÛ¸î»ÎÀÊ, I have no idea why all providers Í׵᤹¤ë only 1 domain in redirect_uri. ¸½¼Â¤Ë, stealing 'code' is ²ÁÃ͡ʤ¬¤¢¤ë¡Ë nothing. 

Providers MUST Í׵᤹¤ë 'redirect_uri' to ÆÀ¤ë access_token(¡Êµö²Ä¡¤Ì¾ÍÀ¤Ê¤É¤ò¡ËÍ¿¤¨¤ëing specs). If 'code' was ÌäÂ꡿ȯ¹Ô¤¹¤ëd for different redirect_uri - server Ì£Êý¤¹¤ë will not get access_token for your stolen code. Again - even if I steal 'code' with redirect_uri = mydomain.com anyway I won't be able to use it. 
Providers, relax, all redirect_uri checks are futile, if you follow OAuth documentation(ugly example - social ÌÖ¾õÁÈ¿¥ vk.com doesn't https://gist.github.com/3075898 and if you steal code you can get access_token for it)

   ¡¼¤¹¤ë¤¿¤á¤Ë ˸¤²¤ë such an attack, the authorization server MUST ³Î¼Â¤Ë¤¹¤ë that the redirection URI used to ÆÀ¤ë the authorization code is Ʊ°ì¤Î to the redirection URI ¶¡µë¤¹¤ëd when ¸òήing the authorization code for an ÀÜ¶á µ­Ç°ÉÊ.  The authorization server MUST Í׵᤹¤ë public ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís and SHOULD Í׵᤹¤ë confidential ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís to ÅÐÏ¿¡Ê¤¹¤ë¡Ë their redirection URIs.  If a redirection URI is ¶¡µë¤¹¤ëd in the request, the authorization server MUST val
idate it against the ÅÐÏ¿¡Ê¤¹¤ë¡Ëd value.

Provider SHOULD µö¤¹ many redirect_uri-s for one ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í. Provider SHOULD NOT À©¸Â¤¹¤ë all redirect_uri-s to match the same domain.

Now you are able to Äɲ乤ë a lot of redirect_uris on ¤µ¤Þ¤¶¤Þ¤Ê domains(e.g. ³«È¯ Êý¼° and multi lang Êý¼°):
¾ì½ê¡¿°ÌÃÖ.com/facebook/callback
¾ì½ê¡¿°ÌÃÖ.de/facebook/callback
¾ì½ê¡¿°ÌÃÖ.localdev/facebook/callback 

redirect_uri checks MUST be done in exact match Êý¼° against whitelist of callbacks. (¸½ºß¡¿°ìÈÌ¤Ë it only checks domains ¾ì½ê¡¿°ÌÃÖ.com/*anything*). It will mitigate all Æù¿Æ¡¤¿ÆÎàd of XSS-ϳ¤ì¤ës, backend-ϳ¤ì¤ës, referer ϳ¤ì¤ës etc once and for all. Also, please remember, callback MUST redirect »ÈÍÑ¼Ô Â¨»þ¤Ë.

Provider SHOULD NOT Í׵᤹¤ë redirect_uri param anymore to ÆÀ¤ë access_token. All redirect_uri-s are whitelisted now, redirect_uri µ¶Â¤ will not work anymore. It will really ´Êñ¤Ë¤¹¤ë the ²áÄø since you don't need to remember ¸½ºß¤Î callback URL to ÆÀ¤ë access_token.


2. ¸½ºß¡¿°ìÈ̤ˠAuthorization Code Flow is not any safer than Implicit Flow

Implicit Flow is the most insecure OAuth flow because access_token is exposed to »ÈÍѼÔ-¥¹¥Ñ¥¤¡¿¼¹¹Ô´±, scripts(ÆâÉô¤Î/³°Éô¤Î), possible XSSes and so on - a lot of ´í¸±s and ways to ÂŶ¨ it.
If hacker get's your access_token he automatically ¿­¤Ó¡Ê¤ë¡Ës all the µö²Äs (½Ò¤Ù¤ëd in 'ÈÏ°Ï') on your account in OAuth Provider(google, twitter, facebook, github etc).  

Èò¤±¤ë it!(°úÍѤ¹¤ë from IEFT):

However, this convenience should be ½Å¤µ¤ò·×¤ëd against. the °ÂÁ´ ´Ø¤ï¤ê¤¢¤¤¡¿´ÞÃßs of using implicit ǧ¤á¤ës, ÆÃ¤Ë when the authorization code ǧ¤á¤ë type is ÍøÍѤǤ­¤ë.

Even if website uses response_type=code, ¹¶·â¼Ô easily ¼è¤Ã¤ÆÂå¤ï¤ës it with response_type=µ­Ç°ÉÊ in ¸¢¸Â¤òÍ¿¤¨¤ë URL, points redirect_uri to some XSS-exploitable page on your domain, Ãê½Ð¤¹¤ës ʸ½ñ.¾ì½ê.hash when »ÈÍÑ¼Ô is »Ù±ç¤¹¤ë. He receives »ÈÍѼÔ's access_token, jack ¥Þ¥ê¥Õ¥¡¥Ê. Stolen access_token means hacker gets (¸Â¤é¤ì¤¿¡¿Î©·ûŪ¤Ê) Àܶá to your »ñ¸»s on provider.

Even if website uses Authorization Code Flow you can 'downgrade' it to response_type=µ­Ç°ÉÊ and ÆÀ¤ë opaque access_token. This is a gaping ·ç´Ù in OAuth2.

response_type param MUST be defined along with redirect_uri in admin ¥Ñ¥Í¥ëÈ× of ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í. Provider MUST NOT ¼õÂ÷¤¹¤ë change of response_type within authorization ²áÄø. If ¾ì½ê¡¿°ÌÃÖ uses response_type=code it must be impossible to use response_type=µ­Ç°ÉÊ until you change ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í's ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës in Provider's admin page.

3. ÈÏ°Ï or I still need my children alive.

Here is a nice article on this topic by Zach Holman, written ~2 years ago: http://zachholman.com/2011/01/oauth_will_murder_your_children/

Nothing has changed.

Let me remind you that ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í »Ï¤á¤ë¡¤·è¤á¤ës 'ÈÏ°Ï' in ¸¢¸Â¤òÍ¿¤¨¤ë URL param. What does it mean? There is ÀäÂÐ no ÊÝ¾Ú¡Ê¿Í¡Ë that »ÈÍÑ¼Ô gave you those ÈÏ°Ïs you asked for!

¸½¼Â¤Ë, when I ¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë in with facebook/twitter somewhere I just ¼è¤Ã¤ÆÂå¤ï¤ë 'ÈÏ°Ï' with empty string and ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í ´Êñ¤Ë gets Àܶá to some profile ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës and my user_id. MWAHAHA.

There are two ways to ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë it:
first - Ãù¢½êd ÈÏ°Ï value to ³Î¤«¤Ê ÅÐÏ¿¡Ê¤¹¤ë¡Ëd redirect_uri. If »ÈÍÑ¼Ô ¸¢¸Â¤òÍ¿¤¨¤ëd this 'redirect_uri' - than ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í definitely will get Àܶá to ÈÏ°Ï he asked for. No damn surprises.
second - stop Í׵᤹¤ëing stupid µö²Äs. It's up to me what to give you. Providers should let me choose as in Holman's article - what to µö¤¹ and what to ÈÝÄꤹ¤ë. It's MY »ñ¸»s, it's MY µö²Ä.

4. CSRF or Stop Insecure-By-Default ¾µÇ§¤¹¤ë?
Yes, it is rather ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í's vulnerability than in Provider. But it is still vulnerability because it's really ¤¢¤ê¤Õ¤ì¤¿ and OAuth2 should ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë it.
Again, two ways to go:
first - Äɲ乤ë new compulsory param 'csrf_token' ÆÃ¤Ë for CSRF ͽËÉ.
second - educate developers about CSRF and make documentation ȯ¸À¡¿½Ò¤Ù¤ës cleaner. I see ¤Ë¤Ä¤¤¤Æ¸ÀµÚ¤¹¤ë about CSRF in Providers' ¼êÆ°¼°¤Îs very rarely. ¸½¼Â¤Ë 'ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë' was not supposed to be CSRF µ­Ç°ÉÊ but just to keep ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë of your »ÈÍÑ¡¿Å¬ÍÑ. You can Ãߤ¨¤ë¡¿Å¹ both values using delimiter: ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë=CSRFTOKEN_APPSTATE and I think it's ¾µÇ§¤¹¤ë.

This is it. 

I don't Äó°Æ¤¹¤ë to Äɲ乤ë encryption. No fucking way. It was ¶Ëü¤Ë tedious to work with OAuth1 and I am fully ¾µÇ§¤¹¤ë with HTTPS.
I also don't Äó°Æ¤¹¤ë oauth to be more interoperable about µ­Ç°ÉÊ À¤Âå and length and other stuff. It would be just utopia, it's not our ¾¦Çä¡¿»Å»ö how Providers ´ï¶ñ¡¿¼Â»Ü¤¹¤ë OAuth FRAMEWORK.
I just want you guys to ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë these few minor things(many redirect_uri-s, ÈÏ°Ï is not reliable etc)  and 2 major vulnerabilities(response_type ¸òÂØ¡¿Êä½¼ and ¤¢¤ê¤Õ¤ì¤¿ CSRF).