| rfc9700v2.txt | rfc9700.txt | |||
|---|---|---|---|---|
| skipping to change at line 314 ¶ | skipping to change at line 314 ¶ | |||
| preventing the use of constant values for the PKCE challenge or | preventing the use of constant values for the PKCE challenge or | |||
| OpenID Connect nonce. | OpenID Connect nonce. | |||
| Note: Although PKCE was designed as a mechanism to protect native | Note: Although PKCE was designed as a mechanism to protect native | |||
| apps, this advice applies to all kinds of OAuth clients, including | apps, this advice applies to all kinds of OAuth clients, including | |||
| web applications. | web applications. | |||
| When using PKCE, clients SHOULD use PKCE code challenge methods that | When using PKCE, clients SHOULD use PKCE code challenge methods that | |||
| do not expose the PKCE verifier in the authorization request. | do not expose the PKCE verifier in the authorization request. | |||
| Otherwise, attackers that can read the authorization request (cf. | Otherwise, attackers that can read the authorization request (cf. | |||
| attacker (A4) in Section 3) can break the security provided by PKCE. | Attacker (A4) in Section 3) can break the security provided by PKCE. | |||
| Currently, S256 is the only such method. | Currently, S256 is the only such method. | |||
| Authorization servers MUST support PKCE [RFC7636]. | Authorization servers MUST support PKCE [RFC7636]. | |||
| If a client sends a valid PKCE code_challenge parameter in the | If a client sends a valid PKCE code_challenge parameter in the | |||
| authorization request, the authorization server MUST enforce the | authorization request, the authorization server MUST enforce the | |||
| correct usage of code_verifier at the token endpoint. | correct usage of code_verifier at the token endpoint. | |||
| Authorization servers MUST mitigate PKCE downgrade attacks by | Authorization servers MUST mitigate PKCE downgrade attacks by | |||
| ensuring that a token request containing a code_verifier parameter is | ensuring that a token request containing a code_verifier parameter is | |||
| skipping to change at line 447 ¶ | skipping to change at line 447 ¶ | |||
| web origin. | web origin. | |||
| 2.5. Client Authentication | 2.5. Client Authentication | |||
| Authorization servers SHOULD enforce client authentication if it is | Authorization servers SHOULD enforce client authentication if it is | |||
| feasible, in the particular deployment, to establish a process for | feasible, in the particular deployment, to establish a process for | |||
| issuance/registration of credentials for clients and ensuring the | issuance/registration of credentials for clients and ensuring the | |||
| confidentiality of those credentials. | confidentiality of those credentials. | |||
| It is RECOMMENDED to use asymmetric cryptography for client | It is RECOMMENDED to use asymmetric cryptography for client | |||
| authentication, such as mTLS [RFC8705] or signed JWTs ("Private Key | authentication, such as mutual TLS for OAuth 2.0 [RFC8705] or signed | |||
| JWT") in accordance with [RFC7521] and [RFC7523]. The latter is | JWTs ("Private Key JWT") in accordance with [RFC7521] and [RFC7523]. | |||
| defined in [OpenID.Core] as the client authentication method | The latter is defined in [OpenID.Core] as the client authentication | |||
| private_key_jwt). When asymmetric cryptography for client | method private_key_jwt). When asymmetric cryptography for client | |||
| authentication is used, authorization servers do not need to store | authentication is used, authorization servers do not need to store | |||
| sensitive symmetric keys, making these methods more robust against | sensitive symmetric keys, making these methods more robust against | |||
| leakage of keys. | leakage of keys. | |||
| 2.6. Other Recommendations | 2.6. Other Recommendations | |||
| The use of OAuth Authorization Server Metadata [RFC8414] can help to | The use of OAuth Authorization Server Metadata [RFC8414] can help to | |||
| improve the security of OAuth deployments: | improve the security of OAuth deployments: | |||
| * It ensures that security features and other new OAuth features can | * It ensures that security features and other new OAuth features can | |||
| skipping to change at line 606 ¶ | skipping to change at line 606 ¶ | |||
| authorization server. For example, a resource server may be | authorization server. For example, a resource server may be | |||
| compromised by an attacker, an access token may be sent to an | compromised by an attacker, an access token may be sent to an | |||
| attacker-controlled resource server due to a misconfiguration, | attacker-controlled resource server due to a misconfiguration, | |||
| or social engineering may be used to get a resource owner to | or social engineering may be used to get a resource owner to | |||
| use an attacker-controlled resource server. Also see | use an attacker-controlled resource server. Also see | |||
| Section 4.9.2. | Section 4.9.2. | |||
| (A3), (A4), and (A5) typically occur together with either (A1) or | (A3), (A4), and (A5) typically occur together with either (A1) or | |||
| (A2). Attackers can collaborate to reach a common goal. | (A2). Attackers can collaborate to reach a common goal. | |||
| Note that an attacker (A1) or (A2) can be a resource owner or act as | Note that an Attacker (A1) or (A2) can be a resource owner or act as | |||
| one. For example, such an attacker can use their own browser to | one. For example, such an attacker can use their own browser to | |||
| replay tokens or authorization codes obtained by any of the attacks | replay tokens or authorization codes obtained by any of the attacks | |||
| described above at the client or resource server. | described above at the client or resource server. | |||
| This document focuses on threats resulting from attackers (A1) to | This document focuses on threats resulting from Attackers (A1) to | |||
| (A5). | (A5). | |||
| 4. Attacks and Mitigations | 4. Attacks and Mitigations | |||
| This section gives a detailed description of attacks on OAuth | This section gives a detailed description of attacks on OAuth | |||
| implementations, along with potential countermeasures. Attacks and | implementations, along with potential countermeasures. Attacks and | |||
| mitigations already covered in [RFC6819] are not listed here, except | mitigations already covered in [RFC6819] are not listed here, except | |||
| where new recommendations are made. | where new recommendations are made. | |||
| This section further defines additional requirements (beyond those | This section further defines additional requirements (beyond those | |||
| skipping to change at line 958 ¶ | skipping to change at line 958 ¶ | |||
| Countermeasures: | Countermeasures: | |||
| * Clients MUST NOT pass access tokens in a URI query parameter in | * Clients MUST NOT pass access tokens in a URI query parameter in | |||
| the way described in Section 2.3 of [RFC6750]. The authorization | the way described in Section 2.3 of [RFC6750]. The authorization | |||
| code grant or alternative OAuth response modes like the form post | code grant or alternative OAuth response modes like the form post | |||
| response mode [OAuth.Post] can be used to this end. | response mode [OAuth.Post] can be used to this end. | |||
| 4.4. Mix-Up Attacks | 4.4. Mix-Up Attacks | |||
| Mix-up attacks are in scenarios where an OAuth client interacts with | Mix-up attacks can occur in scenarios where an OAuth client interacts | |||
| two or more authorization servers and at least one authorization | with two or more authorization servers and at least one authorization | |||
| server is under the control of the attacker. This can be the case, | server is under the control of the attacker. This can be the case, | |||
| for example, if the attacker uses dynamic registration to register | for example, if the attacker uses dynamic registration to register | |||
| the client at their own authorization server or if an authorization | the client at their own authorization server or if an authorization | |||
| server becomes compromised. | server becomes compromised. | |||
| The goal of the attack is to obtain an authorization code or an | The goal of the attack is to obtain an authorization code or an | |||
| access token for an uncompromised authorization server. This is | access token for an uncompromised authorization server. This is | |||
| achieved by tricking the client into sending those credentials to the | achieved by tricking the client into sending those credentials to the | |||
| compromised authorization server (the attacker) instead of using them | compromised authorization server (the attacker) instead of using them | |||
| at the respective endpoint of the uncompromised authorization/ | at the respective endpoint of the uncompromised authorization/ | |||
| skipping to change at line 1033 ¶ | skipping to change at line 1033 ¶ | |||
| code for an access token (for public clients) or perform an | code for an access token (for public clients) or perform an | |||
| authorization code injection attack as described in Section 4.5. | authorization code injection attack as described in Section 4.5. | |||
| Variants: | Variants: | |||
| * Mix-Up with Interception: This variant works only if the attacker | * Mix-Up with Interception: This variant works only if the attacker | |||
| can intercept and manipulate the first request/response pair from | can intercept and manipulate the first request/response pair from | |||
| a user's browser to the client (in which the user selects a | a user's browser to the client (in which the user selects a | |||
| certain authorization server and is then redirected by the client | certain authorization server and is then redirected by the client | |||
| to that authorization server), as in Attacker (A2) (see | to that authorization server), as in Attacker (A2) (see | |||
| Section 3). This capability can, for example, be the result of a | Section 3). This capability can, for example, be the result of an | |||
| attacker-in-the-middle attack on the user's connection to the | attacker-in-the-middle attack on the user's connection to the | |||
| client. In the attack, the user starts the flow with H-AS. The | client. In the attack, the user starts the flow with H-AS. The | |||
| attacker intercepts this request and changes the user's selection | attacker intercepts this request and changes the user's selection | |||
| to A-AS. The rest of the attack proceeds as in Step 2 and | to A-AS. The rest of the attack proceeds as in Step 2 and | |||
| following above. | following above. | |||
| * Implicit Grant: In the implicit grant, the attacker receives an | * Implicit Grant: In the implicit grant, the attacker receives an | |||
| access token instead of the code in Step 4. The attacker's | access token instead of the code in Step 4. The attacker's | |||
| authorization server receives the access token when the client | authorization server receives the access token when the client | |||
| makes either a request to the A-AS userinfo endpoint or a request | makes either a request to the A-AS userinfo endpoint or a request | |||
| to the attacker's resource server (since the client believes it | to the attacker's resource server (since the client believes it | |||
| skipping to change at line 1147 ¶ | skipping to change at line 1147 ¶ | |||
| 4.5. Authorization Code Injection | 4.5. Authorization Code Injection | |||
| An attacker who has gained access to an authorization code contained | An attacker who has gained access to an authorization code contained | |||
| in an authorization response (see Attacker (A3) in Section 3) can try | in an authorization response (see Attacker (A3) in Section 3) can try | |||
| to redeem the authorization code for an access token or otherwise | to redeem the authorization code for an access token or otherwise | |||
| make use of the authorization code. | make use of the authorization code. | |||
| In the case that the authorization code was created for a public | In the case that the authorization code was created for a public | |||
| client, the attacker can send the authorization code to the token | client, the attacker can send the authorization code to the token | |||
| endpoint of the authorization server and thereby get an access token. | endpoint of the authorization server and thereby get an access token. | |||
| This attack was described in Section 4.4.1.1. of [RFC6819]. | This attack was described in Section 4.4.1.1 of [RFC6819]. | |||
| For confidential clients, or in some special situations, the attacker | For confidential clients, or in some special situations, the attacker | |||
| can execute an authorization code injection attack, as described in | can execute an authorization code injection attack, as described in | |||
| the following. | the following. | |||
| In an authorization code injection attack, the attacker attempts to | In an authorization code injection attack, the attacker attempts to | |||
| inject a stolen authorization code into the attacker's own session | inject a stolen authorization code into the attacker's own session | |||
| with the client. The aim is to associate the attacker's session at | with the client. The aim is to associate the attacker's session at | |||
| the client with the victim's resources or identity, thereby giving | the client with the victim's resources or identity, thereby giving | |||
| the attacker at least limited access to the victim's resources. | the attacker at least limited access to the victim's resources. | |||
| skipping to change at line 1542 ¶ | skipping to change at line 1542 ¶ | |||
| servers (see Attackers (A1) and (A5) in Section 3). If the client | servers (see Attackers (A1) and (A5) in Section 3). If the client | |||
| sends a valid access token to this counterfeit resource server, the | sends a valid access token to this counterfeit resource server, the | |||
| attacker in turn may use that token to access other services on | attacker in turn may use that token to access other services on | |||
| behalf of the resource owner. | behalf of the resource owner. | |||
| This attack assumes the client is not bound to one specific resource | This attack assumes the client is not bound to one specific resource | |||
| server (and its URL) at development time, but client instances are | server (and its URL) at development time, but client instances are | |||
| provided with the resource server URL at runtime. This kind of late | provided with the resource server URL at runtime. This kind of late | |||
| binding is typical in situations where the client uses a service | binding is typical in situations where the client uses a service | |||
| implementing a standardized API (e.g., for email, calendaring, | implementing a standardized API (e.g., for email, calendaring, | |||
| healthcare, or banking) and where the client is configured by a user | eHealth, or open banking) and where the client is configured by a | |||
| or administrator. | user or administrator. | |||
| 4.9.2. Compromised Resource Server | 4.9.2. Compromised Resource Server | |||
| An attacker may compromise a resource server to gain access to the | An attacker may compromise a resource server to gain access to the | |||
| resources of the respective deployment. Such a compromise may range | resources of the respective deployment. Such a compromise may range | |||
| from partial access to the system, e.g., its log files, to full | from partial access to the system, e.g., its log files, to full | |||
| control over the respective server, in which case all controls can be | control over the respective server, in which case all controls can be | |||
| circumvented and all resources can be accessed. The attacker would | circumvented and all resources can be accessed. The attacker would | |||
| also be able to obtain other access tokens held on the compromised | also be able to obtain other access tokens held on the compromised | |||
| system that would potentially be valid to access other resource | system that would potentially be valid to access other resource | |||
| skipping to change at line 1628 ¶ | skipping to change at line 1628 ¶ | |||
| tied to specific material provided by the transport layer (e.g., | tied to specific material provided by the transport layer (e.g., | |||
| TLS). The resource server must also ensure that a replay of the | TLS). The resource server must also ensure that a replay of the | |||
| proof of possession is not possible. | proof of possession is not possible. | |||
| Two methods for sender-constrained access tokens using proof of | Two methods for sender-constrained access tokens using proof of | |||
| possession have been defined by the OAuth working group and are in | possession have been defined by the OAuth working group and are in | |||
| use in practice: | use in practice: | |||
| * "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound | * "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound | |||
| Access Tokens" [RFC8705]: The approach specified in this) document | Access Tokens" [RFC8705]: The approach specified in this) document | |||
| allows the use of mutual TLS (mTLS) for both client authentication | allows the use of mutual TLS for both client authentication and | |||
| and sender-constrained access tokens. For the purpose of sender- | sender-constrained access tokens. For the purpose of sender- | |||
| constrained access tokens, the client is identified towards the | constrained access tokens, the client is identified towards the | |||
| resource server by the fingerprint of its public key. During the | resource server by the fingerprint of its public key. During the | |||
| processing of an access token request, the authorization server | processing of an access token request, the authorization server | |||
| obtains the client's public key from the TLS stack and associates | obtains the client's public key from the TLS stack and associates | |||
| its fingerprint with the respective access tokens. The resource | its fingerprint with the respective access tokens. The resource | |||
| server in the same way obtains the public key from the TLS stack | server in the same way obtains the public key from the TLS stack | |||
| and compares its fingerprint with the fingerprint associated with | and compares its fingerprint with the fingerprint associated with | |||
| the access token. | the access token. | |||
| * "OAuth 2.0 Demonstrating Proof of Possession (DPoP)" [RFC9449]: | * "OAuth 2.0 Demonstrating Proof of Possession (DPoP)" [RFC9449]: | |||
| DPoP outlines an application-level mechanism for sender- | DPoP outlines an application-level mechanism for sender- | |||
| skipping to change at line 1703 ¶ | skipping to change at line 1703 ¶ | |||
| benefit to hide the resource server URL from the authorization | benefit to hide the resource server URL from the authorization | |||
| server. | server. | |||
| Audience restriction may seem easier to use since it does not require | Audience restriction may seem easier to use since it does not require | |||
| any cryptography on the client side. Still, since every access token | any cryptography on the client side. Still, since every access token | |||
| is bound to a specific resource server, the client also needs to | is bound to a specific resource server, the client also needs to | |||
| obtain a single resource server-specific access token when accessing | obtain a single resource server-specific access token when accessing | |||
| several resource servers. (Resource indicators, as specified in | several resource servers. (Resource indicators, as specified in | |||
| [RFC8707], can help to achieve this.) [TOKEN-BINDING] had the same | [RFC8707], can help to achieve this.) [TOKEN-BINDING] had the same | |||
| property since different token-binding IDs must be associated with | property since different token-binding IDs must be associated with | |||
| the access token. Using Mutual TLS for OAuth 2.0 [RFC8705], on the | the access token. Using mutual TLS for OAuth 2.0 [RFC8705], on the | |||
| other hand, allows a client to use the access token at multiple | other hand, allows a client to use the access token at multiple | |||
| resource servers. | resource servers. | |||
| It should be noted that audience restrictions -- or, generally | It should be noted that audience restrictions -- or, generally | |||
| speaking, an indication by the client to the authorization server | speaking, an indication by the client to the authorization server | |||
| where it wants to use the access token -- have additional benefits | where it wants to use the access token -- have additional benefits | |||
| beyond the scope of token leakage prevention. They allow the | beyond the scope of token leakage prevention. They allow the | |||
| authorization server to create a different access token whose format | authorization server to create a different access token whose format | |||
| and content are specifically minted for the respective server. This | and content are specifically minted for the respective server. This | |||
| has huge functional and privacy advantages in deployments using | has huge functional and privacy advantages in deployments using | |||
| End of changes. 10 change blocks. | ||||
| 16 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||