What Do You HATE about OAuth?
What do you HATE about OAuth?
Wednesday 2F
Convener: Jusstin R.
Notes-taker(s): Scott Fehrman
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
implicit grant
- originally optimization for SPA / javascript apps
- more of a cross domain session cookie
- tokens over insecure channel
- response injection
grant choice
- how to pick the correct grant type / flow
resource owner grant
- security concerns
- native apps that were not capable to open browser to access auth server
redelegation
- down scoping
separation of designation and authorization of resource
- can send wrong token to wrong
- confused deputy situation
fuzzy audience restriction
- does not define an audience restriction
- bearer tokens can go anywhere
no resource inhibitors
devices and native apps
nonce and state
- state was intended for use by a systems that supported states, a state handle
- code challenge
- bad names
signed response
- Facebook added this
- avoid OAuth 1.0 problem on complex crypto
only TLS
no universal grant audit
- common format across flows
- grant management API (AS)
optionality of scopes
scopes are strings
- difficult to parse, unstructured, space encoded
auth end point as GET
revocation doesn’t chain
expires_in …
- useless in the real world
- people use the refresh token
put too much on front channel
redirect URI matching
multiple Authorization Servers
- A discovery problem
- random AS attacks
- Bound discovery
no client notification
- token state changed
dynamic client registration and authorization requests are separate
client instance memory
- redirect token fails, refresh expires
Proof of possession
*not used