V51 OAuth: Add verifications for Authorization Server client configuration #2043
Comments
tghosth
added
1) Discussion ongoing
I am not sure about this one. Is that really bad? If the usage of the "client credentials" flow is tightly related to the usage of "code" flow, it might make much sense to only have a single client_id. Moreover, having separate "FooApp B2B", "FooApp User" client IDs would only clutter the list of registered client (in the AS user interface) and would make it more difficult to deprovision a client application: "I disabled FooApp." ,"Did you disable FooApp B2B as well?" |
|
The important thing is "least privilege" client configuration, maybe this is better
I agree that that the "Avoid reusing clients for different purposes (allowing e g both 'code' and 'client-credentials' for a given client)"-remark makes sense in some scenarios, but in other contexts it does not. The thing I wanted to point out with that remark was that combining grants (code and client-credentials) in one client (to limit No of clients) might give users access to scopes (if not using PAR) that only system integrations should be granted, which is problematic if authorization is based on just a valid token and scopes... But that is in a way addressed by
Maybe modify that to
|
|
Does it really matter if a client supports this or not? Isn’t the real issue regarding whether or not the authorization server supports this?
|
|
I believe both aspects are important for limiting attack vectors, the reason for not suggesting a separate AS verification like
is that many AS supports this today and it is unlikely to change in the near future, so all you can do as an application developer is to assert that your client configuration does not allow for using those flows. In example, if multiple flows are allowed, an attacker could by simply adding "token" to the "id-token" or "code" authorization-request or change it to "password", extract an access-token or initiate ROPC (PAR mitigates this) I agree that ASVS should make it clear that AS should no longer support Implicit and ROPC flows, perhaps this could be expressed better than in the note? |
|
Proposed it in #2048 (comment) but I thik it belongs here:
(requires wordsmithing) edit: I think it is already discussed in |
|
Let's move on with those:
|
@elarlang I read this as "Verify that a given (unique) OAuth/OIDC client is used according to least privilege, for a single application scope". Is that correct? Then I think it belongs to the Client section more than the Authorization Server section. |
|
I would not put least privilege topic into this, just unique. The client only uses what is configured for it and can not control, how it is configured. In my opinion it is authorization server responsibility to configure it correctly. edit: my context is 1st party solutions, it may be a different need when clients can register themselves on 3rd party solutions. |
|
A bit update to this one:
(note for myself: it replaces 51.1.6 (and the number is maybe changed for that time) This requirement is a bit vague. By principle I can understand that you should not have more permissions than you need, but how do I test it?
usual ping @randomstuff @TobiasAhnoff :) |
elarlang
added
the
4) proposal for review
“required” in this sentence feels a bit weird to me. Is that clear enough? Maybe something like: “Verify that for a given client, the authorization server only allows the usage of grants that this client actually needs to use." |
I think we somehow need to send clear message, about password grant etc.
Should we keep "the note", have a separate requirement or there is some good reason to not have it covered at all? |
|
I think adding it as a note captures that they are both omitted from best current practices, https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-10, where ROPC must not be used while Implicit should not be used.
|
Yes, perhaps this is better?
|
|
I think the scope and grant topics are different enough to keep them separate. And merging them does not answer my questions
|
|
This I'll handle with PR tomorrow.
edit: PR done and the current state is:
The requirement above is subject to finetune via #2047. This one is still waiting to be inserted into the document, but I think it should be a bit more descriptive, why it exists or what problem it solves.
|
elarlang
removed
the
4) proposal for review
One way to test this is to try add more scopes to the auth request, then use the more powerful token in API requests and see if you are allowed to access resources you should not have access to.
Configuration of scopes for clients is one case where least privilege is important, but sometimes forgotten, and I think it is good to have something in ASVS that address this, to mitigate the risk of "unexpected" privilege escalation for a user/client. |
|
A bit different wording
|
|
Maybe
Could be extended:
in order to include RAR and resource indicators. |
|
request and assigned are different things and requirements For me, current requirement focuses what is available for this OAuth client. Another topic is, what is the client requesting for certain action. |
This is addressed in #2044 by having
But it can be replaced by the requirement suggested here
Yes, that is the intent, if not using PAR, the client is not in control of the requested scopes using the code flow, the user/attacker is, we can only limit the set of allowed scopes configured for the client...which is addressed by:
Perhaps both requirements can be made shorter as "only required" and "least privilege" says the same thing or is it good to have "least privilege"?
|
|
Trying to make them more understandable for "out of context". Section OAuth Authorization Server
Section OAuth Client
|
elarlang
added
the
4) proposal for review
|
Via #2124 V51.2 OAuth Authorization Server
V51.3 OAuth Client
|
elarlang
added
6) PR awaiting review
and removed
4) proposal for review
|
Requirements are now in. In case those need additional improvement, it's better to open a separate issue. |
The following verifications are suggested to address least privilege client configuration for the Authorization Server and to follow recommendations from https://oauth.net/2.1/ (not to use ROPC or Implicit flows).
Note that not using the ROPC flow is addressed in 51.1.6, but if the verifications in this issue and in #2041 are added then 51.1.6 is included and could be replaced/removed.
V51.2 Authorization Server
Verify that all clients are configured to only allow the required grant. Avoid reusing clients for different purposes (allowing e g both 'code' and 'client-credentials' for a given client). Note that the grants 'token' (Implicit flow) and 'password' (Resource Owner Password Credentials flow) should no longer be supported for any client. (L1, L2, L3)
Verify that allowed scopes for each client asserts least privilege. (L1, L2, L3)
The text was updated successfully, but these errors were encountered: