The fundamental problem with using OAuth (with no additional constraints) for authentication is that it
relies on the following premise
‘If I can enable the delivery of a
valid access token to a Client, then I can lay claim to the identity
represented by that access token at the corresponding AS.’
So, if an attacker (acting as a normal OAuth Client, albeit
one with evil in its heart) can obtain a valid access token for a User Bob from
a valid AS, it can present it to a different valid Client and have the
following conversation
Attacker->Client: Here is a token
Client->AS: tell me about the User associated with this token
AS->Client: that token is good and refers to Bob
Client to itself: Hmm, well it meets the criteria ……
Client->Attacker: Welcome Bob
Attacker->Client: Err, hi, yes well of course I'm Bob. Let's start moving $$
The core problem is that the valid Client is unable to
distinguish between a token previously handed to the Attacker, and a valid
token being delivered via the real Bob.
So why not add something to the token
to make that distinction easy for the valid Client, so the conversation now becomes
Attacker->Client: Here is a token
Client to itself: Whoaaa, this token is not for me!!!
Client->Attacker: Nice try bud
That is what OpenID Connect does, the OIDC id_token carries the audience (in the aud param) to
which the token was issued, preventing it from being presented elsewhere. If an OIDC Client is presented with an id_token with an audience not itself, it will stop the login process.
Facebook Connect similarly restricts the audience, but does so implicitly by requiring that the Client validate a signature calculated over the signed_request. If a Client can't validate the signature, it will know that something is up and abort.
No comments:
Post a Comment