Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V51 - OAuth - DPoP proof replay attack protection #2188

Closed
randomstuff opened this issue Oct 23, 2024 · 4 comments
Closed

V51 - OAuth - DPoP proof replay attack protection #2188

randomstuff opened this issue Oct 23, 2024 · 4 comments
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V51 Group issues related to OAuth Will be closed if no response/opposite arguments _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@randomstuff
Copy link
Contributor

randomstuff commented Oct 23, 2024
edited
Loading

Should we add some requirement about DPoP proof replay attack protection?

Possible concrete mitigations:

  • use a server-provided nonce
  • limit the window of validity of the DPoP proof
  • "jti" storage

FAPI 2.0 does not require the usage of DPoP server-side nonce:

[authorization servers] if using DPoP, may use the server provided nonce mechanism

if using DPoP, [clients] shall support the server provided nonce mechanism (as defined in Section 8 of [RFC9449]);

FAPI 2.0 has this requirement about "iat" validation (which is valid applicable to DPoP and other JWTs as well) but this actually does not help so much for our purpose:

to accommodate clock offsets, shall accept JWTs with an iat or nbf timestamp between 0 and 10 seconds in the future but shall reject JWTs with an iat or nbf timestamp greater than 60 seconds in the future.
@randomstuff randomstuff mentioned this issue Oct 23, 2024
Closed
@randomstuff
Copy link
Contributor Author

See #2185

@elarlang elarlang added the V51 Group issues related to OAuth label Oct 23, 2024
@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 labels Oct 24, 2024
@randomstuff
Copy link
Contributor Author

randomstuff commented Oct 25, 2024
edited
Loading

I don't believe, we should require the usage us DPoP nonce (FAPI 2.0 does not require it) or "jti" storage.

Possible options:

  • do not mention this topic at all;
  • only require that some mitigation is in place;
  • require that "iat" validation uses a small window of validity.

@elarlang
Copy link
Collaborator

As we going to write requirements that must be followed by everyone (on a specific level), then I recommend ignoring the topic till we are not 100% sure or it is too specific an edge case with a small impact.

@TobiasAhnoff
Copy link

TobiasAhnoff commented Nov 5, 2024
edited
Loading

I think this does not need to be a requirement, FAPI also recognizes this as an "edge case", given confidential clients and alignment with other FAPI requirements (which we also have for L3), and in https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-6.2 states that

These mitigations may have potential complexity, performance or scalability trade-offs. Attacker type A5 represents a powerful attacker and mitigations may not be necessary for many ecosystems.

So, I vote for "do not mention this topic at all" (even if e g nonce is a good mitigation to implement for some scenarios)

@elarlang elarlang closed this as completed Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V51 Group issues related to OAuth Will be closed if no response/opposite arguments _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@randomstuff @TobiasAhnoff @tghosth @elarlang