OAuth Security (Beyond Bearer Tokens)

Session Topic: OAuth Security

Tuesday 4A

Convener: Hannes

Notes-taker(s): Paul Madsen

Hannes set the context, explaining the current bearer security model

Hannes talked about multiple proposals for evolving beyond bearer, all more tightly binding the client to the access token presented to the RS

The proposals included


 * MAC (Eran)


 * SSL Binding (Hannes)


 * JWT (John)

The above differ in the nature of the key (asymmetric or symmetric) and the binding mechanism (message or transport).

Phil pointed about potential issues with a web server clients using different keys for each access token it might be using to a given RS - is there an optimization possible?

Group reviewed the document by Hannes & Phil, which describes use case & security requirements

http://tools.ietf.org/html/draft-tschofenig-oauth-security-00

Distinction between a piece of client software (like a native app downloaded from App Store) and a particular deployed instance of that software was made. Sometimes an RS needs to know that a token is being presented by the latter (ie a particular instance as opposed to simply a member of the larger class.)

Distinction between identification & correlation was made. The latter is simply recognition that a particular request is being sent from the same client as seen before.

Discussion of client signatures getting broken by intermediaries - the more pieces of the message you sign, the greater the potential for breakage. On this issue, Chuck says 'dont sign fluff'.

Justin proposes revitalizing MAC spec.