►
From YouTube: OAUTH WG Interim Meeting, 2020-10-26
Description
OAUTH WG Interim Meeting, 2020-10-26
A
A
A
A
B
C
C
D
C
Our
new
recommendation
regarding
this
attack
is
that
authorization
servers
must
ensure
that
if
there
was
no
code
challenge
in
the
authorization
request,
a
request
to
the
token
endpoint
that
contains
a
code
verifier
must
be
rejected.
So
this
is,
as
we
heard,
also
something
that
implementations
actually
or
some
implementations
already
do.
So
I
suspect
this
is
a
relatively
small
range.
C
C
C
These
additional
precautions
are
essentially
that
you
must
ensure
that
the
nonce
is
checked
properly
and
from
the
correct
id
token.
That
is,
if
you
have
an
id
token,
both
at
the
token
endpoint,
as
well
as
in
the
in
the
authorization
response,
then
you
must
also
check
the
nonce
in
the
first
one.
So
that's
that's
something
we
stated
very
clearly
again
in
this
draft
because
it
might
not
be
obvious
to.
C
C
We
say
that
if
you
use
a
localhost
redirect
uri,
you
may
use
variable
port
numbers,
because
native
applications
just
might
need
that
we
also
covered
two
new
topics
regarding
attacks.
First,
one
is
essentially
just
one
paragraph:
what
happens
if
you
have
cross-site
scripting?
Of
course
this
can
undermine
your
token
replay
protection.
If
somebody
can
inject
code
into
your
application-
and
we
also
have
a
section
on
click
checking
attacks,
which
is
essentially
completely
new.
C
We
have
also
gotten
feedback
that
the
discussions
were
a
bit,
let's
say
lengthy,
so
we
discussed
several
approaches
to
to
mitigate
some
attacks.
Some
of
these
discussions
were
not
very
helpful.
They
discussed
things
yet
that
might
not
be
very
practical,
so
we
tightened
the
text
around
that
and
we
improved
the
examples,
also
feedback
free.
We
got
from
the
working
group
last
call
and,
of
course,
we
made
several
editorial
improvements.
C
So
this
these
are
the
changes
in
a
nutshell
that
we
made
since
the
last
working
group
last
call.
So
what's
there
left
to
discuss,
actually,
I
think
not
too
much.
We
have
two
things
that
I'd
like
to
discuss
today
and,
of
course,
also
on
the
mailing
list.
Afterwards,
this
one
has
already
been
on
the
mailing
list.
C
We
say
that
you
can
have
a
deployment
specific
way
to
communicate,
communicate,
pixie
support,
but
oauth
metadata
is
recommended,
but
this
is
only
for
the
as
side
of
things.
What
we
currently
don't
say
is
that
clients
should
actually
use
this
as
so.
This
came
from
discussion
with
peter
and
the
other
guys
at
the
stuttgart
university.
C
We
found
that
it
might
be
a
good
idea
to
actually
recommend
oauth
metadata
to
clients
for
their
discovery
process.
We
can
reach
several
goals
with
that.
First
one
is.
We
can
promote
automation
in
the
sense
that
you
can
now
use
features
just
based
on
this
discovery
process,
so
you
might
also
be
able
to
use
advanced
features
like
power
or
jar
just
based
on
this
discovery
process.
C
C
Of
course,
this
is
is
something
that
can
happen
if
you
configure
the
token
endpoint
manually,
but
it's
less
likely
to
happen.
If
you
have
a
metadata
document
that
you
can
pull
this
information
from,
so
I
think
it's
a
it
would
be
very
useful
if
we
would
see
a
broader
adoption
of
auth
metadata
and
it
actually
improves
security
if
we,
if
we
recommend
each
client
to
use
auth
metadata,
if
available.
C
Of
course,
it
just
makes
all
also
easier
to
deploy,
but
it
also
makes
security
features
easier
to
deploy.
You
have
essentially
solved
one
one
part
of
your
key
exchange
problem.
If
you
want
to
use
signed
or
encrypted
messages,
and
it
might
also
promote
the
use
or
the
concept
of
the
oauth
issuer,
which
can
also
help
to
mitigate
or
mix-up
attacks,
speaking
of
which,
regarding
mix-up
attacks,
so
this
is
the
second
topic
I'd
like
to
discuss
today.
C
The
current
recommendation,
as
you
probably
know,
is
that
you
should
use
so
you
must
mitigate
mix-up
mitigation
and
one
way
to
do
that
is
to
use
separate,
redirect
uris
per
issue.
That
means
that
if
a
client
can
work
with
multiple
authorization
servers,
the
client
should
have
a
different
redirect
uri
uri
registered
at
each
of
the
authorization
servers.
C
This
was
a
result
of
the
discussion
on
how
to
solve
the
mix-up
attack,
and
I
think
we
settled
on
that
because
it's
this
solution
is
based
on
existing
wealth
features,
but
it
turns
out
that
it's
not
always
the
best
solution.
I
think,
for
example-
and
this
is
a
problem
that
we
actually
have
at
yes.com,
this
solution
is
not
suitable
for
schemes
where
you
have
a
centralized,
client
registration,
so
the
client
just
registers
once
and
can
use
many
or
authorization
servers
or
issuers.
So
to
say,
I
I
think
this
is
a
pattern.
C
This
solution,
also,
as
you
can
tell
from
the
text
that
we
have
in
the
bcp,
needs
a
lot
of
explanation
to
developers.
So
what
do
they
need
to
do
so?
Why
do
they
need
to
use
a
separate
redirect
uri
per
issuer?
What
is
an
issuer
is
a
separate
redirect
uri
per
authorization
server,
okay,
or
is
it
not
okay?
What's
the
difference
between
the
authorization
server
and
issuer?
What
exactly
to
to
pull
what
to
put
into
that
uri
and
so
on?
C
And
it's
also
easy
to
get
wrong
and
I
think
the
the
best
argument
against
this
solution
actually
is
it's
very
hard
to
automate
in
libraries,
because
library
might
not
know
about
your
uri
how
your
uris
are
built,
what
you
put
into
that
into
these
uris
and
so
on?
So
it's
a.
I
still
think
it's
a
valuable
thing
to
have,
but
I
think
there
are
better
solutions
and
one
such
solution
is
something
where
also
discussed
very
early
on
in
this.
C
So
it's
a
very
good
mechanism
against
mix-up
attacks,
carson
who's
cast
meyer
to
zelhausen,
who
is
also
in
the
call.
Today
he
wrote
he
created
a
new
draft
which
specifies
exactly
that
an
iss
parameter
for
the
authorization
response.
I
think
he
also
already
posted
on
the
mailing
list.
Today
the
draft
defines
the
iss
parameter
and
an
respective
metadata
flag.
Of
course,
it's
a
very
short
draft.
I
think
most
of
the
parts
most
of
the
things
in
the
draft
tell
about
how
this
source
mix
up
it's
again.
C
E
This
this
is
mike
jones.
Can
I
reply
to
that
sure
if
you're
using
an
id
token,
you
already
have
the
issue
a
parameter
or
the
issue
or
value,
so
you
don't
need
the
parameter
so
just
like
we
did
with
nonce.
You
should
describe
that.
If
you
have
an
id
token
in
your
flow,
then
you
already
have
the
issuer
and
can
use
it.
F
C
Well,
the
the
the
client,
so
the
client
just
gets
a
an
authorization
response
and
it
just
doesn't
see
where
it
comes
from.
So
the
client
just
gets
it
from
the
browser,
and
this
is
just
a
redirect
to
the
client
containing
a
code
and
since,
of
course,
the
code
is
opaque,
can't
tell
where
this.
If
this
code
is
coming
from
the
attacker
as
or
the
honest
as.
F
I
guess
my
point
is
that
it
already
has
to
store
state.
It
already
has
to
store
the
pixie
code
verifier
to
know
to
no
defend
that
in
with
your
authorization
code,
so
it
seems
like
it
could
also
store
where
it
expects
the
code
to
come
from,
and
if
the
code
is
coming
from
an
attacker,
the
attacker
could
just
as
well
swap
out
the
iss
parameter.
B
C
C
These
are
the
issuers
and
the
user
would
go
to
the
client
and
say
I'd
like
to
use
attacker.com
as
an
issuer.
So,
for
example,
by
pressing
a
button
I
don't
know
authorize
with
attacker.com.
I
don't
know
so.
The
client
starts
the
interaction
with
attacker.com
retweets,
the
metadata
document
and
in
the
metadata
document,
the
client,
the
the
attacker
acting
under
the
issuer,
attacker.com
would
say
my
authorization,
endpoint
is
honest.com
auth
and
my
token
endpoint
is
attacker.com
token.
C
So
the
user
sees
honest.com
authorization
endpoint
logs
in
authorizes
the
client
for
access
and
then
gets
sent
back
to
the
client,
so
the
client
receives
an
authorization
response
which
comes
from
honest.com
contains
a
code
for
honors.com,
but
the
client
of
course
still
thinks
that
all
these
things
are
happening
with
the
issuer.
Attacker.Com.
C
And
now
the
client
will,
of
course,
want
to
re-redeem
that
code
for
an
access
token,
so
the
client
goes
to
the
token
endpoint.
The
token
endpoint,
of
course,
is
attacker.com
token.
So
what
happens?
Is
the
client
sends
the
code
that
it
acquired
from
honest.com
to
the
token
endpoint
attacker.com,
and
at
this
point
the
attacker
knows
the
code
and
yeah.
So
essentially
it's
it's
game
over.
At
this
point,
of
course,
you
have
then
features
like
pixi
making
this
attack
harder
and
and
other
things,
but
still
to
get
defense
in
depth.
C
C
So
if
you
had
the
iss
parameter
in
the
authorization
response,
then
of
course
in
the
scenario
that
I
just
showed,
the
honest
dot
com,
slash,
auth
authorization
endpoint
would
put
into
the
authorization
response
the
issuer
honest.com,
because
the
honest.com
authorization
server
knows
that
it's
acting
under
the
issuer
on
a
sidecar,
so
the
authorization
response
arrives
at
the
client
and
the
client
sees
okay.
This
response
comes
from
honest.com
while
me,
while
I
as
a
client,
I'm
thinking
I'm
acting
or
I'm
interacting
with
attacker.com.
C
And
the
whole
thing
also
works.
If
you
don't
have
metadata,
but
then
you
need
to
essentially
you
need
to
need
a
deployment
specific
way
to
to
say
what
is
the
issuer
so
to
say
in
that
case,
which
can
be
as
easy
as
a
fixed
string
that
you
know
that
facebook
always
sends
this
string,
and
google
always
sends
this
string.
C
Well,
pxe
kind
of
does
so
with
pixi.
The
code
would
arrive
at
the
wrong
token
endpoint,
but
of
course
the
the
the
the
attacker
wouldn't
know
which
pxe
verifier
to
use
for
that
code
problem
is
that,
first
of
all,
we
don't
know
if
pixel
was
used.
Of
course,
if
you
follow
all
the
recommendation,
pixel
was
used,
but
if
you
don't,
then
you
still
have
the
mixer
problem.
C
F
C
C
A
G
A
D
G
Sure,
I
think
a
couple
of
things
matter.
It
depends
on
the
track.
We
want
to
publish
this
particular
document
in
you
know.
Ultimately
what
will
happen
is
if
you
have
a
document
that
has
a
normative
reference
on
another
document
that
is
not
yet
published.
It'll
sit
in
the
rfc
editor
queue
as
a
misref
until
until
they're
deconflicted
and
then,
depending
on
the
track
of
that
other
document.
G
D
E
D
C
G
C
A
F
No,
it
sounds
like
the
security
bcp
would
be
saying
you
need
to
solve
this
attack
and
there
are
several
options
to
do
that.
You
could
also
make
up
your
own
solution.
However,
it
would
then
point
people
toward
the
standardized
the
intended
to
be
standardized
version
of
that,
which
is
this
iss
parameter.
C
I
J
A
J
G
J
That
that's
fair,
it
just
seemed
like,
potentially
it's
less
awkward
than
all
these
various
attempts
to
downplay
a
down
ref
or
back
rough
to
an
individual
draft
document.
Although
I
presume
that
this
discussion
sort
of
presupposes
the
adoption
of
the
other
document
and
attempts
to
progress
it
quickly,.
C
I
mean
this
is
something
we
could
also
just
just
try
to.
We
could
just
try
to
progress
with
the
security
bcp
and
see
how
much
need
for
discussion.
There
is
with
the
other
document.
It
is
a
relatively
short
document
and
very
concise.
So
maybe
maybe
this
progress
is
quick
enough.
Otherwise
we
could
still
think
about
how
to
reference
that.
A
A
I
Okay,
it's
a
topic
that
I've
already
raised
on
the
version
15.
Currently
the
section
3
states,
the
updated,
auto
article
model
is
supposed
to
have
been
updated
to
account
the
potentially
involving
multiple,
multiple
parties.
However,
he
still
misses
to
address
the
case
of
dynamic
relationship
between
clients,
which
includes
scenario
of
collaborative
clients.
I
C
Yeah,
I
think
we've
discussed
this
attack
a
number
of
times,
also
in
different
working
groups,
and
it
seems
that
there's
so
I
still
stand
by
what
dennis
quoted
that
this
seems
to
break
something
that
nobody
really
expect
or
to
provide,
which
is
also
kind
of
supported
by
the.
I
don't
know
the
my
general
impression
that
that
this
this
discussion
of
the
attack
has
not
brought
us
really
to
to
to
the
conclusion
that
this
is
an
interesting
attack,
so
to
say
just
one.
C
One
thing
that
I
also
pointed
out
before
this
attack
is
covered
by
the
attacker
model.
Collaborative
clients
is
something
that
can
happen.
The
thing
is,
it
is
not
covered
by
the
kind
of
security
goals
that
people
expect
oauth
to
fulfill
and
yeah.
So
I
don't
really
think
that
this
is
something
we
should
cover
in
the
security
bcp.
I
Well
collaborative
is
not
a
word
that
exists
in
the
current
bcp,
so
collaborative
clients
do
not
exist
as
well.
As
you
mentioned,
this
kind
of
attack
can
happen
and
we
should
say
what
should
be
done
in
case.
That
attack
happened
and
mentioned
that
there
is
a
way
to
counter
that
attack,
and
this
should
be
mentioned.
C
Then
collaborative
clients
are
covered
by
the
attacker
model,
because
clients
can
of
course
send
messages
to
each
other.
This
is
also
something
that
we
covered
in
the
formal
analysis
where
this
attacker
model
kind
of
is
derived
from
where
clients
can
collaborate,
so
they
can
collaborate
to
reach
a
common
goal.
C
C
D
Yeah
this
is
this
harness
here
yeah.
I
wonder
I
so
I
I
see
two
aspects
here.
One
is
to
the
question
of
like
how
well
is
this
aspect
covered
right
in
the
document
itself
rather
than
in
in
reference
documents,
and
can
we
can
we
do
a
better
job
in
in
pointing
these
things
out
on
what's
covered
and
what's
not
covered?