-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass data via Token Request vs Authorization Code Verification response? #18
Comments
@gRegorLove @mblaney I know it's been a while since you did an AutoAuth implementation, but I wonder if you have any ideas on this issue and potentially #17 |
hi @sknebel, I'm not sure about the minimal version, would we at least need a |
Yes, state would be needed. You implemented the reader side, right? That already needed some small changes for AutoAuth in die authorization endpoint: https://github.com/sknebel/AutoAuth/blob/master/AutoAuth.md#authorization-code-verification-request - note how here lots of parameters are sent to the Auth endpoint - whereas for comparison normal IndieAuth takes minimal parameters and responds with the data: https://indieauth.spec.indieweb.org/#authorization-code-verification-0 |
I'll need to refresh my memory on the whole process, but at an initial glance, I think the |
hi @gRegorLove @sknebel yes I did the reader side, and our demo was very minimal all I did from the authorization endpoint was return |
@mblaney I wasn't sure if doing it that way is a security risk. I can't think of an attack offhand, but I figured that client_id/authorization_endpoint verification had some prior art. It appears it's been there since the original session. Edit 2: It appears to come from https://tools.ietf.org/html/rfc6749#section-3.2.1 Edit 1: I mis-typed before, it's not |
re https://chat.indieweb.org/dev/2019-10-30#t1572460599325500 My use case is having a single token granting endpoint that I can use for all permission grants, both in the IndieAuth and AutoAuth flows. In particular, I am authorizing users for access to resources at the time of resource request, based on the user's identity and scope that are associated with the token. One possible use case of this is having a shared blog which can have multiple authors who submit posts directly via MicroPub (or similar). It seems to me that a single token granting endpoint could cover both the first-party and third-party authorization cases, and the important thing is simply ensuring that both token grants have the necessary parameters sent through on the code verification request. Conceivably it should be reasonable for a token endpoint to simply pass all of the POST parameters along to the GET on the code verification, although this opens up the possibility of the token endpoint being used as part of a reflection/amplification attack on an unrelated web service, so I would prefer to err on the side of whitelisting the necessary parameters. But then that opens up the possibility that some future extension to these protocols (or another as-yet unimagined authorization flow) might need some additional set of parameters to be sent through, which would slow down adoption considerably as the number of implementations grows. |
Right now, details about the token requested is passed in the Token Request, and then sent to the Authorization endpoint to confirm.
Alternatively, it could not be passed there, and only returned in the response to the Authorization Code Verification request, similar to how IndieAuth includes the scopes in the response in the authorization flow.
From some implementer feedback I got, this difference is somewhat confusing, data is passed around more than it maybe has to, and the benefit is unclear.
I think I had some thoughts about making attacks on the auth code harder initially when choosing this, but I think those don't actually apply here.
Right now, the only benefit I could see is some level of validation, e.g. being able to reject clearly invalid requests (with some caveats described in the spec), but that doesn't seem to be a big scenario. Requests that can safely be rejected early will probably be of a type that could only be created through error cases and shouldn't appear often enough to justify special consideration.
Should we switch to the second model, only passing minimal data (maybe the
code
andme
) in the Token Request?The text was updated successfully, but these errors were encountered: