Web Authorization Protocol D. Fett Internet-Draft yes.com Intended status: Standards Track J. Bradley Expires: January 24, 2020 Yubico July 23, 2019 OAuth 2.0 Integrity Verification for Authorization Requests (IVAR) draft-fett-oauth-ivar-00 Abstract This document describes a mechanism for the integrity protection of OAuth 2.0 authorization requests. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 24, 2020. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Fett & Bradley Expires January 24, 2020 [Page 1] Internet-Draft oauth-ivar July 2019 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 2. Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Client Metadata for IVAR . . . . . . . . . . . . . . . . . . 3 4. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Storing the Authorization Request . . . . . . . . . . . . 4 4.2. IVAR Verification . . . . . . . . . . . . . . . . . . . . 4 5. Fallback if JavaScript is unavailable . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 8.2. Informative References . . . . . . . . . . . . . . . . . 6 Appendix A. Document History . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction A number of attacks on OAuth 2.0 are based on the fact that the contents of the OAuth authorization request lack integrity and authenticity protection. To launch an attack, an attacker might, for example, start an OAuth flow in his browser, use the authorization request URI created by the client, and send it to its victim (with or without manipulations). The victim might then complete the authorization. Since the attacker knows or has manipulated parts of the authorization request URI, certain security mechanisms in OAuth might then not work as expected --- undermining the security of OAuth or protocols based on OAuth, like OpenID Connect. Among others, the following attacks are facilitated by the lack of integrity and authenticity of the authorization request: o Attacks on the redirection URI, in which an attacker manipulates the redirection URI and let it point either to a server controlled by the attacker or an endpoint at the client which discloses contents of the authorization response to the attacker. o The PKCE Chosen Challenge Attack, described in [arXiv.1901.11520], wherein an attacker uses his access to the authorization response (see attacker model A3 in [I-D.ietf-oauth-security-topics]) to gain access to the user's resources. o A variant of the AS Mix-Up attack in which a malicious AS redirects the user to an honest AS, re-using request parameters. (See [arXiv.1601.01229] for details.) Fett & Bradley Expires January 24, 2020 [Page 2] Internet-Draft oauth-ivar July 2019 While TLS protects the integrity of the authorization request, these attacks leverage the fact that an attacker can make a victim's browser visit arbitrary URIs, including those manipulated by the attacker or obtained by the attacker from one of his own interactions with the client. This document describes IVAR, a mechanism for the verification of the integrity and origin of the contents of the authorization request. 1.1. Conventions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. This specification uses the terms "access token", "refresh token", "authorization server", "resource server", "authorization endpoint", "authorization request", "authorization response", "token endpoint", "grant type", "access token request", "access token response", and "client" defined by The OAuth 2.0 Authorization Framework [RFC6749]. 2. Concept On a high level, IVAR works as follows: When the client starts a new OAuth authorization flow, it stores the whole authorization URI (or a hash thereof) in the web storage of the resource owner's browser under the client's origin. When the AS received the authorization request, it opens an iframe from a URI the client registered with the AS beforehand. To this "checking" iframe, the AS sends a cross- document message (postMessage) containing the whole authorization request URI as received by the AS. If the URI matches the one stored by the client earlier, the client responds with a message "ok". If not, the AS aborts the transaction. 3. Client Metadata for IVAR Clients that support IVAR register the following metadata parameter in the OAuth 2.0 Dynamic Client Registration Protocol [RFC7591]: "ivar_uri". The content MUST be an https URI from which the checking iframe is loaded by the AS. Fett & Bradley Expires January 24, 2020 [Page 3] Internet-Draft oauth-ivar July 2019 4. Protocol The steps of the IVAR protocol are defined in the following. 4.1. Storing the Authorization Request Before the client redirects the resource owner's browser to the authorization server, the client stores information about the full redirection URI (including query parameters) in the web storage [WebStorage] of the resource owner's browser. It is at the client's discretion to store either the full URI or a hash value of the URI. The data MUST be stored such that it is only accessible to the client's origin. Its contents MUST NOT be modifiable or readable by any other origin. Since multiple OAuth flows may happen in the same browser at the same time, the storage mechanism MUST be able to store multiple entries in parallel. 4.2. IVAR Verification After receiving the authorization request, the AS opens the client's "ivar_uri" in an iframe in its web site. (The client is identified using the "client_id" parameter.) The IVAR iframe script from the client sends a postMessage with the content "ready" to its parent iframe. The AS then sends a postMessage containing the full authorization request URI to the iframe. It is important that the AS limits the intended receiver of this message to the origin of the "ivar_uri" to avoid leaking contents of the authorization request URI to an attacker. The client's script in the iframe then checks if an exact match of the authorization request URI sent by the AS can be found in the list of stored authorization request URIs. If so, it checks that the postMessage containing the URI was received from the origin of the authorization request URI. It then sends the string "ok" in a postMessage to its parent window. It is again important that the intended receiver of this postMessage is set to the authorization request's origin. The AS ensures that the string "ok" is received in a postMessage originating from the IVAR iframe and the correct origin (from the "ivar_uri"). Only then it continues with the authorization flow. Fett & Bradley Expires January 24, 2020 [Page 4] Internet-Draft oauth-ivar July 2019 If any of these steps fail, the AS MUST abort the authorization flow and redirect the browser back to the client with an error value of "ivar_fail". 5. Fallback if JavaScript is unavailable If the resource owner's browser does not support JavaScript, or JavaScript is disabled, the client cannot store the redirection URI. Likewise, the AS cannot run its part of the IVAR protocol. The AS may skip the IVAR checks if, and only if, it detects that the resource owner's browser does not have JavaScript enabled (which is required for IVAR). The respective check for JavaScript support MUST NOT be open to influence by an attacker. An attacker cannot usually disable JavaScript in a user's browser for an origin other than his own. The attacker might, however, trick the uesr's browser into treating the IVAR checking script on the AS's origin as part of a cross-site scripting attack and thus disabling the affected JavaScript. To achieve this, the attacker can add the text representation of the respective JavaScript in a (new) URI parameter. Some browser's cross-site scripting auditing engines string match URI parameters inputs with contents in the source code of the web page. If a match is found, the respective JavaScript is disabled. To avoid disabling of the IVAR checking script by an attacker, AS MUST disable browser-based detection of cross-site scripting using the non-standardized header "X-XSS-Protection: 0" or by sufficiently randomizing the source code of the IVAR checking script. 6. Security Considerations 7. IANA Considerations 8. References 8.1. Normative References [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, . [RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", RFC 7591, DOI 10.17487/RFC7591, July 2015, . Fett & Bradley Expires January 24, 2020 [Page 5] Internet-Draft oauth-ivar July 2019 8.2. Informative References [arXiv.1601.01229] Fett, D., Kuesters, R., and G. Schmitz, "A Comprehensive Formal Security Analysis of OAuth 2.0", January 2016, . [arXiv.1901.11520] Fett, D., Hosseyni, P., and R. Kuesters, "An Extensive Formal Security Analysis of the OpenID Financial-grade API", January 2019, . [I-D.ietf-oauth-security-topics] Lodderstedt, T., Bradley, J., Labunets, A., and D. Fett, "OAuth 2.0 Security Best Current Practice", draft-ietf- oauth-security-topics-13 (work in progress), July 2019. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [WebStorage] Hickson, I., "Web Storage (Second Edition) - W3C Recommendation 19 April 2016", Apr 2016, . Appendix A. Document History [[ To be removed from the final specification ]] -00 o first draft Authors' Addresses Daniel Fett yes.com Email: mail@danielfett.de Fett & Bradley Expires January 24, 2020 [Page 6] Internet-Draft oauth-ivar July 2019 John Bradley Yubico Email: ve7jtb@ve7jtb.com Fett & Bradley Expires January 24, 2020 [Page 7]