GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc6819

Internet Engineering Task Force (IETF) T. Lodderstedt, Ed. Request for Comments: 6819 Deutsche Telekom AG Category: Informational M. McGloin ISSN: 2070-1721 IBM

                                                               P. Hunt
                                                    Oracle Corporation
                                                          January 2013
         OAuth 2.0 Threat Model and Security Considerations

Abstract

 This document gives additional security considerations for OAuth,
 beyond those in the OAuth 2.0 specification, based on a comprehensive
 threat model for the OAuth 2.0 protocol.

Status of This Memo

 This document is not an Internet Standards Track specification; it is
 published for informational purposes.
 This document is a product of the Internet Engineering Task Force
 (IETF).  It represents the consensus of the IETF community.  It has
 received public review and has been approved for publication by the
 Internet Engineering Steering Group (IESG).  Not all documents
 approved by the IESG are a candidate for any level of Internet
 Standard; see Section 2 of RFC 5741.
 Information about the current status of this document, any errata,
 and how to provide feedback on it may be obtained at
 http://www.rfc-editor.org/info/rfc6819.

Copyright Notice

 Copyright (c) 2013 IETF Trust and the persons identified as the
 document authors.  All rights reserved.
 This document is subject to BCP 78 and the IETF Trust's Legal
 Provisions Relating to IETF Documents
 (http://trustee.ietf.org/license-info) in effect on the date of
 publication of this document.  Please review these documents
 carefully, as they describe your rights and restrictions with respect
 to this document.  Code Components extracted from this document must
 include Simplified BSD License text as described in Section 4.e of
 the Trust Legal Provisions and are provided without warranty as
 described in the Simplified BSD License.

Lodderstedt, et al. Informational [Page 1] RFC 6819 OAuth 2.0 Security January 2013

Table of Contents

 1. Introduction ....................................................6
 2. Overview ........................................................7
    2.1. Scope ......................................................7
    2.2. Attack Assumptions .........................................7
    2.3. Architectural Assumptions ..................................8
         2.3.1. Authorization Servers ...............................8
         2.3.2. Resource Server .....................................9
         2.3.3. Client ..............................................9
 3. Security Features ...............................................9
    3.1. Tokens ....................................................10
         3.1.1. Scope ..............................................11
         3.1.2. Limited Access Token Lifetime ......................11
    3.2. Access Token ..............................................11
    3.3. Refresh Token .............................................11
    3.4. Authorization "code" ......................................12
    3.5. Redirect URI ..............................................13
    3.6. "state" Parameter .........................................13
    3.7. Client Identifier .........................................13
 4. Threat Model ...................................................15
    4.1. Clients ...................................................16
         4.1.1. Threat: Obtaining Client Secrets ...................16
         4.1.2. Threat: Obtaining Refresh Tokens ...................17
         4.1.3. Threat: Obtaining Access Tokens ....................19
         4.1.4. Threat: End-User Credentials Phished Using
                Compromised or Embedded Browser ....................19
         4.1.5. Threat: Open Redirectors on Client .................20
    4.2. Authorization Endpoint ....................................21
         4.2.1. Threat: Password Phishing by Counterfeit
                Authorization Server ...............................21
         4.2.2. Threat: User Unintentionally Grants Too
                Much Access Scope ..................................21
         4.2.3. Threat: Malicious Client Obtains Existing
                Authorization by Fraud .............................22
         4.2.4. Threat: Open Redirector ............................22
    4.3. Token Endpoint ............................................23
         4.3.1. Threat: Eavesdropping Access Tokens ................23
         4.3.2. Threat: Obtaining Access Tokens from
                Authorization Server Database ......................23
         4.3.3. Threat: Disclosure of Client Credentials
                during Transmission ................................23
         4.3.4. Threat: Obtaining Client Secret from
                Authorization Server Database ......................24
         4.3.5. Threat: Obtaining Client Secret by Online Guessing .24

Lodderstedt, et al. Informational [Page 2] RFC 6819 OAuth 2.0 Security January 2013

    4.4. Obtaining Authorization ...................................25
         4.4.1. Authorization "code" ...............................25
                4.4.1.1. Threat: Eavesdropping or Leaking
                         Authorization "codes" .....................25
                4.4.1.2. Threat: Obtaining Authorization "codes"
                         from Authorization Server Database ........26
                4.4.1.3. Threat: Online Guessing of
                         Authorization "codes" .....................27
                4.4.1.4. Threat: Malicious Client Obtains
                         Authorization .............................27
                4.4.1.5. Threat: Authorization "code" Phishing .....29
                4.4.1.6. Threat: User Session Impersonation ........29
                4.4.1.7. Threat: Authorization "code" Leakage
                         through Counterfeit Client ................30
                4.4.1.8. Threat: CSRF Attack against redirect-uri ..32
                4.4.1.9. Threat: Clickjacking Attack against
                         Authorization .............................33
                4.4.1.10. Threat: Resource Owner Impersonation .....33
                4.4.1.11. Threat: DoS Attacks That Exhaust
                          Resources ................................34
                4.4.1.12. Threat: DoS Using Manufactured
                          Authorization "codes" ....................35
                4.4.1.13. Threat: Code Substitution (OAuth Login) ..36
         4.4.2. Implicit Grant .....................................37
                4.4.2.1. Threat: Access Token Leak in
                         Transport/Endpoints .......................37
                4.4.2.2. Threat: Access Token Leak in
                         Browser History ...........................38
                4.4.2.3. Threat: Malicious Client Obtains
                         Authorization .............................38
                4.4.2.4. Threat: Manipulation of Scripts ...........38
                4.4.2.5. Threat: CSRF Attack against redirect-uri ..39
                4.4.2.6. Threat: Token Substitution (OAuth Login) ..39
         4.4.3. Resource Owner Password Credentials ................40
                4.4.3.1. Threat: Accidental Exposure of
                         Passwords at Client Site ..................41
                4.4.3.2. Threat: Client Obtains Scopes
                         without End-User Authorization ............42
                4.4.3.3. Threat: Client Obtains Refresh
                         Token through Automatic Authorization .....42
                4.4.3.4. Threat: Obtaining User Passwords
                         on Transport ..............................43
                4.4.3.5. Threat: Obtaining User Passwords
                         from Authorization Server Database ........43
                4.4.3.6. Threat: Online Guessing ...................43
         4.4.4. Client Credentials .................................44

Lodderstedt, et al. Informational [Page 3] RFC 6819 OAuth 2.0 Security January 2013

    4.5. Refreshing an Access Token ................................44
         4.5.1. Threat: Eavesdropping Refresh Tokens from
                Authorization Server ...............................44
         4.5.2. Threat: Obtaining Refresh Token from
                Authorization Server Database ......................44
         4.5.3. Threat: Obtaining Refresh Token by Online
                Guessing ...........................................45
         4.5.4. Threat: Refresh Token Phishing by
                Counterfeit Authorization Server ...................45
    4.6. Accessing Protected Resources .............................46
         4.6.1. Threat: Eavesdropping Access Tokens on Transport ...46
         4.6.2. Threat: Replay of Authorized Resource
                Server Requests ....................................46
         4.6.3. Threat: Guessing Access Tokens .....................46
         4.6.4. Threat: Access Token Phishing by
                Counterfeit Resource Server ........................47
         4.6.5. Threat: Abuse of Token by Legitimate
                Resource Server or Client ..........................48
         4.6.6. Threat: Leak of Confidential Data in HTTP Proxies ..48
         4.6.7. Threat: Token Leakage via Log Files and
                HTTP Referrers .....................................48
 5. Security Considerations ........................................49
    5.1. General ...................................................49
         5.1.1. Ensure Confidentiality of Requests .................49
         5.1.2. Utilize Server Authentication ......................50
         5.1.3. Always Keep the Resource Owner Informed ............50
         5.1.4. Credentials ........................................51
                5.1.4.1. Enforce Credential Storage
                         Protection Best Practices .................51
                5.1.4.2. Online Attacks on Secrets .................52
         5.1.5. Tokens (Access, Refresh, Code) .....................53
                5.1.5.1. Limit Token Scope .........................53
                5.1.5.2. Determine Expiration Time .................54
                5.1.5.3. Use Short Expiration Time .................54
                5.1.5.4. Limit Number of Usages or One-Time Usage ..55
                5.1.5.5. Bind Tokens to a Particular
                         Resource Server (Audience) ................55
                5.1.5.6. Use Endpoint Address as Token Audience ....56
                5.1.5.7. Use Explicitly Defined Scopes for
                         Audience and Tokens .......................56
                5.1.5.8. Bind Token to Client id ...................56
                5.1.5.9. Sign Self-Contained Tokens ................56
                5.1.5.10. Encrypt Token Content ....................56
                5.1.5.11. Adopt a Standard Assertion Format ........57
         5.1.6. Access Tokens ......................................57

Lodderstedt, et al. Informational [Page 4] RFC 6819 OAuth 2.0 Security January 2013

    5.2. Authorization Server ......................................57
         5.2.1. Authorization "codes" ..............................57
                5.2.1.1. Automatic Revocation of Derived
                         Tokens If Abuse Is Detected ...............57
         5.2.2. Refresh Tokens .....................................57
                5.2.2.1. Restricted Issuance of Refresh Tokens .....57
                5.2.2.2. Binding of Refresh Token to "client_id" ...58
                5.2.2.3. Refresh Token Rotation ....................58
                5.2.2.4. Revocation of Refresh Tokens ..............58
                5.2.2.5. Device Identification .....................59
                5.2.2.6. X-FRAME-OPTIONS Header ....................59
         5.2.3. Client Authentication and Authorization ............59
                5.2.3.1. Don't Issue Secrets to Clients with
                         Inappropriate Security Policy .............60
                5.2.3.2. Require User Consent for Public
                         Clients without Secret ....................60
                5.2.3.3. Issue a "client_id" Only in
                         Combination with "redirect_uri" ...........61
                5.2.3.4. Issue Installation-Specific Client
                         Secrets ...................................61
                5.2.3.5. Validate Pre-Registered "redirect_uri" ....62
                5.2.3.6. Revoke Client Secrets .....................63
                5.2.3.7. Use Strong Client Authentication
                         (e.g., client_assertion/client_token) .....63
         5.2.4. End-User Authorization .............................63
                5.2.4.1. Automatic Processing of Repeated
                         Authorizations Requires Client Validation .63
                5.2.4.2. Informed Decisions Based on Transparency ..63
                5.2.4.3. Validation of Client Properties by
                         End User ..................................64
                5.2.4.4. Binding of Authorization "code" to
                         "client_id" ...............................64
                5.2.4.5. Binding of Authorization "code" to
                         "redirect_uri" ............................64
    5.3. Client App Security .......................................65
         5.3.1. Don't Store Credentials in Code or
                Resources Bundled with Software Packages ...........65
         5.3.2. Use Standard Web Server Protection Measures
                (for Config Files and Databases) ...................65
         5.3.3. Store Secrets in Secure Storage ....................65
         5.3.4. Utilize Device Lock to Prevent Unauthorized
                Device Access ......................................66
         5.3.5. Link the "state" Parameter to User Agent Session ...66
    5.4. Resource Servers ..........................................66
         5.4.1. Authorization Headers ..............................66
         5.4.2. Authenticated Requests .............................67
         5.4.3. Signed Requests ....................................67
    5.5. A Word on User Interaction and User-Installed Apps ........68

Lodderstedt, et al. Informational [Page 5] RFC 6819 OAuth 2.0 Security January 2013

 6. Acknowledgements ...............................................69
 7. References .....................................................69
    7.1. Normative References ......................................69
    7.2. Informative References ....................................69

1. Introduction

 This document gives additional security considerations for OAuth,
 beyond those in the OAuth specification, based on a comprehensive
 threat model for the OAuth 2.0 protocol [RFC6749].  It contains the
 following content:
 o  Documents any assumptions and scope considered when creating the
    threat model.
 o  Describes the security features built into the OAuth protocol and
    how they are intended to thwart attacks.
 o  Gives a comprehensive threat model for OAuth and describes the
    respective countermeasures to thwart those threats.
 Threats include any intentional attacks on OAuth tokens and resources
 protected by OAuth tokens, as well as security risks introduced if
 the proper security measures are not put in place.  Threats are
 structured along the lines of the protocol structure to help
 development teams implement each part of the protocol securely, for
 example, all threats for granting access, or all threats for a
 particular grant type, or all threats for protecting the resource
 server.
 Note: This document cannot assess the probability or the risk
 associated with a particular threat because those aspects strongly
 depend on the particular application and deployment OAuth is used to
 protect.  Similarly, impacts are given on a rather abstract level.
 But the information given here may serve as a foundation for
 deployment-specific threat models.  Implementors may refine and
 detail the abstract threat model in order to account for the specific
 properties of their deployment and to come up with a risk analysis.
 As this document is based on the base OAuth 2.0 specification, it
 does not consider proposed extensions such as client registration or
 discovery, many of which are still under discussion.

Lodderstedt, et al. Informational [Page 6] RFC 6819 OAuth 2.0 Security January 2013

2. Overview

2.1. Scope

 This security considerations document only considers clients bound to
 a particular deployment as supported by [RFC6749].  Such deployments
 have the following characteristics:
 o  Resource server URLs are static and well-known at development
    time; authorization server URLs can be static or discovered.
 o  Token scope values (e.g., applicable URLs and methods) are well-
    known at development time.
 o  Client registration is out of scope of the current core
    specification.  Therefore, this document assumes a broad variety
    of options, from static registration during development time to
    dynamic registration at runtime.
 The following are considered out of scope:
 o  Communication between the authorization server and resource
    server.
 o  Token formats.
 o  Except for the resource owner password credentials grant type (see
    [RFC6749], Section 4.3), the mechanism used by authorization
    servers to authenticate the user.
 o  Mechanism by which a user obtained an assertion and any resulting
    attacks mounted as a result of the assertion being false.
 o  Clients not bound to a specific deployment: An example could be a
    mail client with support for contact list access via the portable
    contacts API (see [Portable-Contacts]).  Such clients cannot be
    registered upfront with a particular deployment and should
    dynamically discover the URLs relevant for the OAuth protocol.

2.2. Attack Assumptions

 The following assumptions relate to an attacker and resources
 available to an attacker.  It is assumed that:
 o  the attacker has full access to the network between the client and
    authorization servers and the client and the resource server,
    respectively.  The attacker may eavesdrop on any communications

Lodderstedt, et al. Informational [Page 7] RFC 6819 OAuth 2.0 Security January 2013

    between those parties.  He is not assumed to have access to
    communication between the authorization server and resource
    server.
 o  an attacker has unlimited resources to mount an attack.
 o  two of the three parties involved in the OAuth protocol may
    collude to mount an attack against the 3rd party.  For example,
    the client and authorization server may be under control of an
    attacker and collude to trick a user to gain access to resources.

2.3. Architectural Assumptions

 This section documents assumptions about the features, limitations,
 and design options of the different entities of an OAuth deployment
 along with the security-sensitive data elements managed by those
 entities.  These assumptions are the foundation of the threat
 analysis.
 The OAuth protocol leaves deployments with a certain degree of
 freedom regarding how to implement and apply the standard.  The core
 specification defines the core concepts of an authorization server
 and a resource server.  Both servers can be implemented in the same
 server entity, or they may also be different entities.  The latter is
 typically the case for multi-service providers with a single
 authentication and authorization system and is more typical in
 middleware architectures.

2.3.1. Authorization Servers

 The following data elements are stored or accessible on the
 authorization server:
 o  usernames and passwords
 o  client ids and secrets
 o  client-specific refresh tokens
 o  client-specific access tokens (in the case of handle-based design;
    see Section 3.1)
 o  HTTPS certificate/key
 o  per-authorization process (in the case of handle-based design;
    Section 3.1): "redirect_uri", "client_id", authorization "code"

Lodderstedt, et al. Informational [Page 8] RFC 6819 OAuth 2.0 Security January 2013

2.3.2. Resource Server

 The following data elements are stored or accessible on the resource
 server:
 o  user data (out of scope)
 o  HTTPS certificate/key
 o  either authorization server credentials (handle-based design; see
    Section 3.1) or authorization server shared secret/public key
    (assertion-based design; see Section 3.1)
 o  access tokens (per request)
 It is assumed that a resource server has no knowledge of refresh
 tokens, user passwords, or client secrets.

2.3.3. Client

 In OAuth, a client is an application making protected resource
 requests on behalf of the resource owner and with its authorization.
 There are different types of clients with different implementation
 and security characteristics, such as web, user-agent-based, and
 native applications.  A full definition of the different client types
 and profiles is given in [RFC6749], Section 2.1.
 The following data elements are stored or accessible on the client:
 o  client id (and client secret or corresponding client credential)
 o  one or more refresh tokens (persistent) and access tokens
    (transient) per end user or other security-context or delegation
    context
 o  trusted certification authority (CA) certificates (HTTPS)
 o  per-authorization process: "redirect_uri", authorization "code"

3. Security Features

 These are some of the security features that have been built into the
 OAuth 2.0 protocol to mitigate attacks and security issues.

Lodderstedt, et al. Informational [Page 9] RFC 6819 OAuth 2.0 Security January 2013

3.1. Tokens

 OAuth makes extensive use of many kinds of tokens (access tokens,
 refresh tokens, authorization "codes").  The information content of a
 token can be represented in two ways, as follows:
 Handle (or artifact)  A 'handle' is a reference to some internal data
    structure within the authorization server; the internal data
    structure contains the attributes of the token, such as user id
    (UID), scope, etc.  Handles enable simple revocation and do not
    require cryptographic mechanisms to protect token content from
    being modified.  On the other hand, handles require communication
    between the issuing and consuming entity (e.g., the authorization
    server and resource server) in order to validate the token and
    obtain token-bound data.  This communication might have a negative
    impact on performance and scalability if both entities reside on
    different systems.  Handles are therefore typically used if the
    issuing and consuming entity are the same.  A 'handle' token is
    often referred to as an 'opaque' token because the resource server
    does not need to be able to interpret the token directly; it
    simply uses the token.
 Assertion (aka self-contained token)  An assertion is a parseable
    token.  An assertion typically has a duration, has an audience,
    and is digitally signed in order to ensure data integrity and
    origin authentication.  It contains information about the user and
    the client.  Examples of assertion formats are Security Assertion
    Markup Language (SAML) assertions [OASIS.saml-core-2.0-os] and
    Kerberos tickets [RFC4120].  Assertions can typically be directly
    validated and used by a resource server without interactions with
    the authorization server.  This results in better performance and
    scalability in deployments where the issuing and consuming
    entities reside on different systems.  Implementing token
    revocation is more difficult with assertions than with handles.
 Tokens can be used in two ways to invoke requests on resource
 servers, as follows:
 bearer token  A 'bearer token' is a token that can be used by any
    client who has received the token (e.g., [RFC6750]).  Because mere
    possession is enough to use the token, it is important that
    communication between endpoints be secured to ensure that only
    authorized endpoints may capture the token.  The bearer token is
    convenient for client applications, as it does not require them to
    do anything to use them (such as a proof of identity).  Bearer
    tokens have similar characteristics to web single-sign-on (SSO)
    cookies used in browsers.

Lodderstedt, et al. Informational [Page 10] RFC 6819 OAuth 2.0 Security January 2013

 proof token  A 'proof token' is a token that can only be used by a
    specific client.  Each use of the token requires the client to
    perform some action that proves that it is the authorized user of
    the token.  Examples of this are MAC-type access tokens, which
    require the client to digitally sign the resource request with a
    secret corresponding to the particular token sent with the request
    (e.g., [OAuth-HTTP-MAC]).

3.1.1. Scope

 A scope represents the access authorization associated with a
 particular token with respect to resource servers, resources, and
 methods on those resources.  Scopes are the OAuth way to explicitly
 manage the power associated with an access token.  A scope can be
 controlled by the authorization server and/or the end user in order
 to limit access to resources for OAuth clients that these parties
 deem less secure or trustworthy.  Optionally, the client can request
 the scope to apply to the token but only for a lesser scope than
 would otherwise be granted, e.g., to reduce the potential impact if
 this token is sent over non-secure channels.  A scope is typically
 complemented by a restriction on a token's lifetime.

3.1.2. Limited Access Token Lifetime

 The protocol parameter "expires_in" allows an authorization server
 (based on its policies or on behalf of the end user) to limit the
 lifetime of an access token and to pass this information to the
 client.  This mechanism can be used to issue short-lived tokens to
 OAuth clients that the authorization server deems less secure, or
 where sending tokens over non-secure channels.

3.2. Access Token

 An access token is used by a client to access a resource.  Access
 tokens typically have short life spans (minutes or hours) that cover
 typical session lifetimes.  An access token may be refreshed through
 the use of a refresh token.  The short lifespan of an access token,
 in combination with the usage of refresh tokens, enables the
 possibility of passive revocation of access authorization on the
 expiry of the current access token.

3.3. Refresh Token

 A refresh token represents a long-lasting authorization of a certain
 client to access resources on behalf of a resource owner.  Such
 tokens are exchanged between the client and authorization server
 only.  Clients use this kind of token to obtain ("refresh") new
 access tokens used for resource server invocations.

Lodderstedt, et al. Informational [Page 11] RFC 6819 OAuth 2.0 Security January 2013

 A refresh token, coupled with a short access token lifetime, can be
 used to grant longer access to resources without involving end-user
 authorization.  This offers an advantage where resource servers and
 authorization servers are not the same entity, e.g., in a distributed
 environment, as the refresh token is always exchanged at the
 authorization server.  The authorization server can revoke the
 refresh token at any time, causing the granted access to be revoked
 once the current access token expires.  Because of this, a short
 access token lifetime is important if timely revocation is a high
 priority.
 The refresh token is also a secret bound to the client identifier and
 client instance that originally requested the authorization; the
 refresh token also represents the original resource owner grant.
 This is ensured by the authorization process as follows:
 1.  The resource owner and user agent safely deliver the
     authorization "code" to the client instance in the first place.
 2.  The client uses it immediately in secure transport-level
     communications to the authorization server and then securely
     stores the long-lived refresh token.
 3.  The client always uses the refresh token in secure transport-
     level communications to the authorization server to get an access
     token (and optionally roll over the refresh token).
 So, as long as the confidentiality of the particular token can be
 ensured by the client, a refresh token can also be used as an
 alternative means to authenticate the client instance itself.

3.4. Authorization "code"

 An authorization "code" represents the intermediate result of a
 successful end-user authorization process and is used by the client
 to obtain access and refresh tokens.  Authorization "codes" are sent
 to the client's redirect URI instead of tokens for two purposes:
 1.  Browser-based flows expose protocol parameters to potential
     attackers via URI query parameters (HTTP referrer), the browser
     cache, or log file entries, and could be replayed.  In order to
     reduce this threat, short-lived authorization "codes" are passed
     instead of tokens and exchanged for tokens over a more secure
     direct connection between the client and the authorization
     server.

Lodderstedt, et al. Informational [Page 12] RFC 6819 OAuth 2.0 Security January 2013

 2.  It is much simpler to authenticate clients during the direct
     request between the client and the authorization server than in
     the context of the indirect authorization request.  The latter
     would require digital signatures.

3.5. Redirect URI

 A redirect URI helps to detect malicious clients and prevents
 phishing attacks from clients attempting to trick the user into
 believing the phisher is the client.  The value of the actual
 redirect URI used in the authorization request has to be presented
 and is verified when an authorization "code" is exchanged for tokens.
 This helps to prevent attacks where the authorization "code" is
 revealed through redirectors and counterfeit web application clients.
 The authorization server should require public clients and
 confidential clients using the implicit grant type to pre-register
 their redirect URIs and validate against the registered redirect URI
 in the authorization request.

3.6. "state" Parameter

 The "state" parameter is used to link requests and callbacks to
 prevent cross-site request forgery attacks (see Section 4.4.1.8)
 where an attacker authorizes access to his own resources and then
 tricks a user into following a redirect with the attacker's token.
 This parameter should bind to the authenticated state in a user agent
 and, as per the core OAuth spec, the user agent must be capable of
 keeping it in a location accessible only by the client and user
 agent, i.e., protected by same-origin policy.

3.7. Client Identifier

 Authentication protocols have typically not taken into account the
 identity of the software component acting on behalf of the end user.
 OAuth does this in order to increase the security level in delegated
 authorization scenarios and because the client will be able to act
 without the user being present.
 OAuth uses the client identifier to collate associated requests to
 the same originator, such as
 o  a particular end-user authorization process and the corresponding
    request on the token's endpoint to exchange the authorization
    "code" for tokens, or

Lodderstedt, et al. Informational [Page 13] RFC 6819 OAuth 2.0 Security January 2013

 o  the initial authorization and issuance of a token by an end user
    to a particular client, and subsequent requests by this client to
    obtain tokens without user consent (automatic processing of
    repeated authorizations)
 This identifier may also be used by the authorization server to
 display relevant registration information to a user when requesting
 consent for a scope requested by a particular client.  The client
 identifier may be used to limit the number of requests for a
 particular client or to charge the client per request.  It may
 furthermore be useful to differentiate access by different clients,
 e.g., in server log files.
 OAuth defines two client types, confidential and public, based on
 their ability to authenticate with the authorization server (i.e.,
 ability to maintain the confidentiality of their client credentials).
 Confidential clients are capable of maintaining the confidentiality
 of client credentials (i.e., a client secret associated with the
 client identifier) or capable of secure client authentication using
 other means, such as a client assertion (e.g., SAML) or key
 cryptography.  The latter is considered more secure.
 The authorization server should determine whether the client is
 capable of keeping its secret confidential or using secure
 authentication.  Alternatively, the end user can verify the identity
 of the client, e.g., by only installing trusted applications.  The
 redirect URI can be used to prevent the delivery of credentials to a
 counterfeit client after obtaining end-user authorization in some
 cases but can't be used to verify the client identifier.
 Clients can be categorized as follows based on the client type,
 profile (e.g., native vs. web application; see [RFC6749], Section 9),
 and deployment model:
 Deployment-independent "client_id" with pre-registered "redirect_uri"
    and without "client_secret"  Such an identifier is used by
    multiple installations of the same software package.  The
    identifier of such a client can only be validated with the help of
    the end-user.  This is a viable option for native applications in
    order to identify the client for the purpose of displaying meta
    information about the client to the user and to differentiate
    clients in log files.  Revocation of the rights associated with
    such a client identifier will affect ALL deployments of the
    respective software.

Lodderstedt, et al. Informational [Page 14] RFC 6819 OAuth 2.0 Security January 2013

 Deployment-independent "client_id" with pre-registered "redirect_uri"
    and with "client_secret"  This is an option for native
    applications only, since web applications would require different
    redirect URIs.  This category is not advisable because the client
    secret cannot be protected appropriately (see Section 4.1.1).  Due
    to its security weaknesses, such client identities have the same
    trust level as deployment-independent clients without secrets.
    Revocation will affect ALL deployments.
 Deployment-specific "client_id" with pre-registered "redirect_uri"
    and with "client_secret"  The client registration process ensures
    the validation of the client's properties, such as redirect URI,
    web site URL, web site name, and contacts.  Such a client
    identifier can be utilized for all relevant use cases cited above.
    This level can be achieved for web applications in combination
    with a manual or user-bound registration process.  Achieving this
    level for native applications is much more difficult.  Either the
    installation of the application is conducted by an administrator,
    who validates the client's authenticity, or the process from
    validating the application to the installation of the application
    on the device and the creation of the client credentials is
    controlled end-to-end by a single entity (e.g., application market
    provider).  Revocation will affect a single deployment only.
 Deployment-specific "client_id" with "client_secret" without
    validated properties  Such a client can be recognized by the
    authorization server in transactions with subsequent requests
    (e.g., authorization and token issuance, refresh token issuance,
    and access token refreshment).  The authorization server cannot
    assure any property of the client to end users.  Automatic
    processing of re-authorizations could be allowed as well.  Such
    client credentials can be generated automatically without any
    validation of client properties, which makes it another option,
    especially for native applications.  Revocation will affect a
    single deployment only.

4. Threat Model

 This section gives a comprehensive threat model of OAuth 2.0.
 Threats are grouped first by attacks directed against an OAuth
 component, which are the client, authorization server, and resource
 server.  Subsequently, they are grouped by flow, e.g., obtain token
 or access protected resources.  Every countermeasure description
 refers to a detailed description in Section 5.

Lodderstedt, et al. Informational [Page 15] RFC 6819 OAuth 2.0 Security January 2013

4.1. Clients

 This section describes possible threats directed to OAuth clients.

4.1.1. Threat: Obtaining Client Secrets

 The attacker could try to get access to the secret of a particular
 client in order to:
 o  replay its refresh tokens and authorization "codes", or
 o  obtain tokens on behalf of the attacked client with the privileges
    of that "client_id" acting as an instance of the client.
 The resulting impact would be the following:
 o  Client authentication of access to the authorization server can be
    bypassed.
 o  Stolen refresh tokens or authorization "codes" can be replayed.
 Depending on the client category, the following attacks could be
 utilized to obtain the client secret.
 Attack: Obtain Secret From Source Code or Binary:
 This applies for all client types.  For open source projects, secrets
 can be extracted directly from source code in their public
 repositories.  Secrets can be extracted from application binaries
 just as easily when the published source is not available to the
 attacker.  Even if an application takes significant measures to
 obfuscate secrets in their application distribution, one should
 consider that the secret can still be reverse-engineered by anyone
 with access to a complete functioning application bundle or binary.
 Countermeasures:
 o  Don't issue secrets to public clients or clients with
    inappropriate security policy (Section 5.2.3.1).
 o  Require user consent for public clients (Section 5.2.3.2).
 o  Use deployment-specific client secrets (Section 5.2.3.4).
 o  Revoke client secrets (Section 5.2.3.6).

Lodderstedt, et al. Informational [Page 16] RFC 6819 OAuth 2.0 Security January 2013

 Attack: Obtain a Deployment-Specific Secret:
 An attacker may try to obtain the secret from a client installation,
 either from a web site (web server) or a particular device (native
 application).
 Countermeasures:
 o  Web server: Apply standard web server protection measures (for
    config files and databases) (see Section 5.3.2).
 o  Native applications: Store secrets in secure local storage
    (Section 5.3.3).
 o  Revoke client secrets (Section 5.2.3.6).

4.1.2. Threat: Obtaining Refresh Tokens

 Depending on the client type, there are different ways that refresh
 tokens may be revealed to an attacker.  The following sub-sections
 give a more detailed description of the different attacks with
 respect to different client types and further specialized
 countermeasures.  Before detailing those threats, here are some
 generally applicable countermeasures:
 o  The authorization server should validate the client id associated
    with the particular refresh token with every refresh request
    (Section 5.2.2.2).
 o  Limit token scope (Section 5.1.5.1).
 o  Revoke refresh tokens (Section 5.2.2.4).
 o  Revoke client secrets (Section 5.2.3.6).
 o  Refresh tokens can automatically be replaced in order to detect
    unauthorized token usage by another party (see "Refresh Token
    Rotation", Section 5.2.2.3).
 Attack: Obtain Refresh Token from Web Application:
 An attacker may obtain the refresh tokens issued to a web application
 by way of overcoming the web server's security controls.
 Impact: Since a web application manages the user accounts of a
 certain site, such an attack would result in an exposure of all
 refresh tokens on that site to the attacker.

Lodderstedt, et al. Informational [Page 17] RFC 6819 OAuth 2.0 Security January 2013

 Countermeasures:
 o  Standard web server protection measures (Section 5.3.2).
 o  Use strong client authentication (e.g., client_assertion/
    client_token) so the attacker cannot obtain the client secret
    required to exchange the tokens (Section 5.2.3.7).
 Attack: Obtain Refresh Token from Native Clients:
 On native clients, leakage of a refresh token typically affects a
 single user only.
 Read from local file system: The attacker could try to get file
 system access on the device and read the refresh tokens.  The
 attacker could utilize a malicious application for that purpose.
 Countermeasures:
 o  Store secrets in secure storage (Section 5.3.3).
 o  Utilize device lock to prevent unauthorized device access
    (Section 5.3.4).
 Attack: Steal Device:
 The host device (e.g., mobile phone) may be stolen.  In that case,
 the attacker gets access to all applications under the identity of
 the legitimate user.
 Countermeasures:
 o  Utilize device lock to prevent unauthorized device access
    (Section 5.3.4).
 o  Where a user knows the device has been stolen, they can revoke the
    affected tokens (Section 5.2.2.4).
 Attack: Clone Device:
 All device data and applications are copied to another device.
 Applications are used as-is on the target device.

Lodderstedt, et al. Informational [Page 18] RFC 6819 OAuth 2.0 Security January 2013

 Countermeasures:
 o  Utilize device lock to prevent unauthorized device access
    (Section 5.3.4).
 o  Combine refresh token request with device identification
    (Section 5.2.2.5).
 o  Refresh token rotation (Section 5.2.2.3).
 o  Where a user knows the device has been cloned, they can use
    refresh token revocation (Section 5.2.2.4).

4.1.3. Threat: Obtaining Access Tokens

 Depending on the client type, there are different ways that access
 tokens may be revealed to an attacker.  Access tokens could be stolen
 from the device if the application stores them in a storage device
 that is accessible to other applications.
 Impact: Where the token is a bearer token and no additional mechanism
 is used to identify the client, the attacker can access all resources
 associated with the token and its scope.
 Countermeasures:
 o  Keep access tokens in transient memory and limit grants
    (Section 5.1.6).
 o  Limit token scope (Section 5.1.5.1).
 o  Keep access tokens in private memory or apply same protection
    means as for refresh tokens (Section 5.2.2).
 o  Keep access token lifetime short (Section 5.1.5.3).

4.1.4. Threat: End-User Credentials Phished Using Compromised or

      Embedded Browser
 A malicious application could attempt to phish end-user passwords by
 misusing an embedded browser in the end-user authorization process,
 or by presenting its own user interface instead of allowing a trusted
 system browser to render the authorization user interface.  By doing
 so, the usual visual trust mechanisms may be bypassed (e.g.,
 Transport Layer Security (TLS) confirmation, web site mechanisms).
 By using an embedded or internal client application user interface,
 the client application has access to additional information to which
 it should not have access (e.g., UID/password).

Lodderstedt, et al. Informational [Page 19] RFC 6819 OAuth 2.0 Security January 2013

 Impact: If the client application or the communication is
 compromised, the user would not be aware of this, and all information
 in the authorization exchange, such as username and password, could
 be captured.
 Countermeasures:
 o  The OAuth flow is designed so that client applications never need
    to know user passwords.  Client applications should avoid directly
    asking users for their credentials.  In addition, end users could
    be educated about phishing attacks and best practices, such as
    only accessing trusted clients, as OAuth does not provide any
    protection against malicious applications and the end user is
    solely responsible for the trustworthiness of any native
    application installed.
 o  Client applications could be validated prior to publication in an
    application market for users to access.  That validation is out of
    scope for OAuth but could include validating that the client
    application handles user authentication in an appropriate way.
 o  Client developers should not write client applications that
    collect authentication information directly from users and should
    instead delegate this task to a trusted system component, e.g.,
    the system browser.

4.1.5. Threat: Open Redirectors on Client

 An open redirector is an endpoint using a parameter to automatically
 redirect a user agent to the location specified by the parameter
 value without any validation.  If the authorization server allows the
 client to register only part of the redirect URI, an attacker can use
 an open redirector operated by the client to construct a redirect URI
 that will pass the authorization server validation but will send the
 authorization "code" or access token to an endpoint under the control
 of the attacker.
 Impact: An attacker could gain access to authorization "codes" or
 access tokens.
 Countermeasures:
 o  Require clients to register full redirect URI (Section 5.2.3.5).

Lodderstedt, et al. Informational [Page 20] RFC 6819 OAuth 2.0 Security January 2013

4.2. Authorization Endpoint

4.2.1. Threat: Password Phishing by Counterfeit Authorization Server

 OAuth makes no attempt to verify the authenticity of the
 authorization server.  A hostile party could take advantage of this
 by intercepting the client's requests and returning misleading or
 otherwise incorrect responses.  This could be achieved using DNS or
 Address Resolution Protocol (ARP) spoofing.  Wide deployment of OAuth
 and similar protocols may cause users to become inured to the
 practice of being redirected to web sites where they are asked to
 enter their passwords.  If users are not careful to verify the
 authenticity of these web sites before entering their credentials, it
 will be possible for attackers to exploit this practice to steal
 users' passwords.
 Countermeasures:
 o  Authorization servers should consider such attacks when developing
    services based on OAuth and should require the use of transport-
    layer security for any requests where the authenticity of the
    authorization server or of request responses is an issue (see
    Section 5.1.2).
 o  Authorization servers should attempt to educate users about the
    risks posed by phishing attacks and should provide mechanisms that
    make it easy for users to confirm the authenticity of their sites.

4.2.2. Threat: User Unintentionally Grants Too Much Access Scope

 When obtaining end-user authorization, the end user may not
 understand the scope of the access being granted and to whom, or they
 may end up providing a client with access to resources that should
 not be permitted.
 Countermeasures:
 o  Explain the scope (resources and the permissions) the user is
    about to grant in an understandable way (Section 5.2.4.2).
 o  Narrow the scope, based on the client.  When obtaining end-user
    authorization and where the client requests scope, the
    authorization server may want to consider whether to honor that
    scope based on the client identifier.  That decision is between
    the client and authorization server and is outside the scope of
    this spec.  The authorization server may also want to consider
    what scope to grant based on the client type, e.g., providing
    lower scope to public clients (Section 5.1.5.1).

Lodderstedt, et al. Informational [Page 21] RFC 6819 OAuth 2.0 Security January 2013

4.2.3. Threat: Malicious Client Obtains Existing Authorization by Fraud

 Authorization servers may wish to automatically process authorization
 requests from clients that have been previously authorized by the
 user.  When the user is redirected to the authorization server's end-
 user authorization endpoint to grant access, the authorization server
 detects that the user has already granted access to that particular
 client.  Instead of prompting the user for approval, the
 authorization server automatically redirects the user back to the
 client.
 A malicious client may exploit that feature and try to obtain such an
 authorization "code" instead of the legitimate client.
 Countermeasures:
 o  Authorization servers should not automatically process repeat
    authorizations to public clients unless the client is validated
    using a pre-registered redirect URI (Section 5.2.3.5).
 o  Authorization servers can mitigate the risks associated with
    automatic processing by limiting the scope of access tokens
    obtained through automated approvals (Section 5.1.5.1).

4.2.4. Threat: Open Redirector

 An attacker could use the end-user authorization endpoint and the
 redirect URI parameter to abuse the authorization server as an open
 redirector.  An open redirector is an endpoint using a parameter to
 automatically redirect a user agent to the location specified by the
 parameter value without any validation.
 Impact: An attacker could utilize a user's trust in an authorization
 server to launch a phishing attack.
 Countermeasures:
 o  Require clients to register any full redirect URIs
    (Section 5.2.3.5).
 o  Don't redirect to a redirect URI if the client identifier or
    redirect URI can't be verified (Section 5.2.3.5).

Lodderstedt, et al. Informational [Page 22] RFC 6819 OAuth 2.0 Security January 2013

4.3. Token Endpoint

4.3.1. Threat: Eavesdropping Access Tokens

 Attackers may attempt to eavesdrop access tokens in transit from the
 authorization server to the client.
 Impact: The attacker is able to access all resources with the
 permissions covered by the scope of the particular access token.
 Countermeasures:
 o  As per the core OAuth spec, the authorization servers must ensure
    that these transmissions are protected using transport-layer
    mechanisms such as TLS (see Section 5.1.1).
 o  If end-to-end confidentiality cannot be guaranteed, reducing scope
    (see Section 5.1.5.1) and expiry time (Section 5.1.5.3) for access
    tokens can be used to reduce the damage in case of leaks.

4.3.2. Threat: Obtaining Access Tokens from Authorization Server

      Database
 This threat is applicable if the authorization server stores access
 tokens as handles in a database.  An attacker may obtain access
 tokens from the authorization server's database by gaining access to
 the database or launching a SQL injection attack.
 Impact: Disclosure of all access tokens.
 Countermeasures:
 o  Enforce system security measures (Section 5.1.4.1.1).
 o  Store access token hashes only (Section 5.1.4.1.3).
 o  Enforce standard SQL injection countermeasures
    (Section 5.1.4.1.2).

4.3.3. Threat: Disclosure of Client Credentials during Transmission

 An attacker could attempt to eavesdrop the transmission of client
 credentials between the client and server during the client
 authentication process or during OAuth token requests.
 Impact: Revelation of a client credential enabling phishing or
 impersonation of a client service.

Lodderstedt, et al. Informational [Page 23] RFC 6819 OAuth 2.0 Security January 2013

 Countermeasures:
 o  The transmission of client credentials must be protected using
    transport-layer mechanisms such as TLS (see Section 5.1.1).
 o  Use alternative authentication means that do not require the
    sending of plaintext credentials over the wire (e.g., Hash-based
    Message Authentication Code).

4.3.4. Threat: Obtaining Client Secret from Authorization Server

      Database
 An attacker may obtain valid "client_id"/secret combinations from the
 authorization server's database by gaining access to the database or
 launching a SQL injection attack.
 Impact: Disclosure of all "client_id"/secret combinations.  This
 allows the attacker to act on behalf of legitimate clients.
 Countermeasures:
 o  Enforce system security measures (Section 5.1.4.1.1).
 o  Enforce standard SQL injection countermeasures
    (Section 5.1.4.1.2).
 o  Ensure proper handling of credentials as per "Enforce Credential
    Storage Protection Best Practices" (Section 5.1.4.1).

4.3.5. Threat: Obtaining Client Secret by Online Guessing

 An attacker may try to guess valid "client_id"/secret pairs.
 Impact: Disclosure of a single "client_id"/secret pair.
 Countermeasures:
 o  Use high entropy for secrets (Section 5.1.4.2.2).
 o  Lock accounts (Section 5.1.4.2.3).
 o  Use strong client authentication (Section 5.2.3.7).

Lodderstedt, et al. Informational [Page 24] RFC 6819 OAuth 2.0 Security January 2013

4.4. Obtaining Authorization

 This section covers threats that are specific to certain flows
 utilized to obtain access tokens.  Each flow is characterized by
 response types and/or grant types on the end-user authorization and
 token endpoint, respectively.

4.4.1. Authorization "code"

4.4.1.1. Threat: Eavesdropping or Leaking Authorization "codes"

 An attacker could try to eavesdrop transmission of the authorization
 "code" between the authorization server and client.  Furthermore,
 authorization "codes" are passed via the browser, which may
 unintentionally leak those codes to untrusted web sites and attackers
 in different ways:
 o  Referrer headers: Browsers frequently pass a "referer" header when
    a web page embeds content, or when a user travels from one web
    page to another web page.  These referrer headers may be sent even
    when the origin site does not trust the destination site.  The
    referrer header is commonly logged for traffic analysis purposes.
 o  Request logs: Web server request logs commonly include query
    parameters on requests.
 o  Open redirectors: Web sites sometimes need to send users to
    another destination via a redirector.  Open redirectors pose a
    particular risk to web-based delegation protocols because the
    redirector can leak verification codes to untrusted destination
    sites.
 o  Browser history: Web browsers commonly record visited URLs in the
    browser history.  Another user of the same web browser may be able
    to view URLs that were visited by previous users.
 Note: A description of similar attacks on the SAML protocol can be
 found at [OASIS.sstc-saml-bindings-1.1], Section 4.1.1.9.1;
 [Sec-Analysis]; and [OASIS.sstc-sec-analysis-response-01].

Lodderstedt, et al. Informational [Page 25] RFC 6819 OAuth 2.0 Security January 2013

 Countermeasures:
 o  As per the core OAuth spec, the authorization server as well as
    the client must ensure that these transmissions are protected
    using transport-layer mechanisms such as TLS (see Section 5.1.1).
 o  The authorization server will require the client to authenticate
    wherever possible, so the binding of the authorization "code" to a
    certain client can be validated in a reliable way (see
    Section 5.2.4.4).
 o  Use short expiry time for authorization "codes" (Section 5.1.5.3).
 o  The authorization server should enforce a one-time usage
    restriction (see Section 5.1.5.4).
 o  If an authorization server observes multiple attempts to redeem an
    authorization "code", the authorization server may want to revoke
    all tokens granted based on the authorization "code" (see
    Section 5.2.1.1).
 o  In the absence of these countermeasures, reducing scope
    (Section 5.1.5.1) and expiry time (Section 5.1.5.3) for access
    tokens can be used to reduce the damage in case of leaks.
 o  The client server may reload the target page of the redirect URI
    in order to automatically clean up the browser cache.

4.4.1.2. Threat: Obtaining Authorization "codes" from Authorization

        Server Database
 This threat is applicable if the authorization server stores
 authorization "codes" as handles in a database.  An attacker may
 obtain authorization "codes" from the authorization server's database
 by gaining access to the database or launching a SQL injection
 attack.
 Impact: Disclosure of all authorization "codes", most likely along
 with the respective "redirect_uri" and "client_id" values.
 Countermeasures:
 o  Best practices for credential storage protection should be
    employed (Section 5.1.4.1).
 o  Enforce system security measures (Section 5.1.4.1.1).

Lodderstedt, et al. Informational [Page 26] RFC 6819 OAuth 2.0 Security January 2013

 o  Store access token hashes only (Section 5.1.4.1.3).
 o  Enforce standard SQL injection countermeasures
    (Section 5.1.4.1.2).

4.4.1.3. Threat: Online Guessing of Authorization "codes"

 An attacker may try to guess valid authorization "code" values and
 send the guessed code value using the grant type "code" in order to
 obtain a valid access token.
 Impact: Disclosure of a single access token and probably also an
 associated refresh token.
 Countermeasures:
 o  Handle-based tokens must use high entropy (Section 5.1.4.2.2).
 o  Assertion-based tokens should be signed (Section 5.1.5.9).
 o  Authenticate the client; this adds another value that the attacker
    has to guess (Section 5.2.3.4).
 o  Bind the authorization "code" to the redirect URI; this adds
    another value that the attacker has to guess (Section 5.2.4.5).
 o  Use short expiry time for tokens (Section 5.1.5.3).

4.4.1.4. Threat: Malicious Client Obtains Authorization

 A malicious client could pretend to be a valid client and obtain an
 access authorization in this way.  The malicious client could even
 utilize screen-scraping techniques in order to simulate a user's
 consent in the authorization flow.
 Assumption: It is not the task of the authorization server to protect
 the end-user's device from malicious software.  This is the
 responsibility of the platform running on the particular device,
 probably in cooperation with other components of the respective
 ecosystem (e.g., an application management infrastructure).  The sole
 responsibility of the authorization server is to control access to
 the end-user's resources maintained in resource servers and to
 prevent unauthorized access to them via the OAuth protocol.  Based on
 this assumption, the following countermeasures are available to cope
 with the threat.

Lodderstedt, et al. Informational [Page 27] RFC 6819 OAuth 2.0 Security January 2013

 Countermeasures:
 o  The authorization server should authenticate the client, if
    possible (see Section 5.2.3.4).  Note: The authentication takes
    place after the end user has authorized the access.
 o  The authorization server should validate the client's redirect URI
    against the pre-registered redirect URI, if one exists (see
    Section 5.2.3.5).  Note: An invalid redirect URI indicates an
    invalid client, whereas a valid redirect URI does not necessarily
    indicate a valid client.  The level of confidence depends on the
    client type.  For web applications, the level of confidence is
    high, since the redirect URI refers to the globally unique network
    endpoint of this application, whose fully qualified domain name
    (FQDN) is also validated using HTTPS server authentication by the
    user agent.  In contrast, for native clients, the redirect URI
    typically refers to device local resources, e.g., a custom scheme.
    So, a malicious client on a particular device can use the valid
    redirect URI the legitimate client uses on all other devices.
 o  After authenticating the end user, the authorization server should
    ask him/her for consent.  In this context, the authorization
    server should explain to the end user the purpose, scope, and
    duration of the authorization the client asked for.  Moreover, the
    authorization server should show the user any identity information
    it has for that client.  It is up to the user to validate the
    binding of this data to the particular application (e.g., Name)
    and to approve the authorization request (see Section 5.2.4.3).
 o  The authorization server should not perform automatic
    re-authorizations for clients it is unable to reliably
    authenticate or validate (see Section 5.2.4.1).
 o  If the authorization server automatically authenticates the end
    user, it may nevertheless require some user input in order to
    prevent screen scraping.  Examples are CAPTCHAs (Completely
    Automated Public Turing tests to tell Computers and Humans Apart)
    or other multi-factor authentication techniques such as random
    questions, token code generators, etc.
 o  The authorization server may also limit the scope of tokens it
    issues to clients it cannot reliably authenticate (see
    Section 5.1.5.1).

Lodderstedt, et al. Informational [Page 28] RFC 6819 OAuth 2.0 Security January 2013

4.4.1.5. Threat: Authorization "code" Phishing

 A hostile party could impersonate the client site and get access to
 the authorization "code".  This could be achieved using DNS or ARP
 spoofing.  This applies to clients, which are web applications; thus,
 the redirect URI is not local to the host where the user's browser is
 running.
 Impact: This affects web applications and may lead to a disclosure of
 authorization "codes" and, potentially, the corresponding access and
 refresh tokens.
 Countermeasures:
 It is strongly recommended that one of the following countermeasures
 be utilized in order to prevent this attack:
 o  The redirect URI of the client should point to an HTTPS-protected
    endpoint, and the browser should be utilized to authenticate this
    redirect URI using server authentication (see Section 5.1.2).
 o  The authorization server should require that the client be
    authenticated, i.e., confidential client, so the binding of the
    authorization "code" to a certain client can be validated in a
    reliable way (see Section 5.2.4.4).

4.4.1.6. Threat: User Session Impersonation

 A hostile party could impersonate the client site and impersonate the
 user's session on this client.  This could be achieved using DNS or
 ARP spoofing.  This applies to clients, which are web applications;
 thus, the redirect URI is not local to the host where the user's
 browser is running.
 Impact: An attacker who intercepts the authorization "code" as it is
 sent by the browser to the callback endpoint can gain access to
 protected resources by submitting the authorization "code" to the
 client.  The client will exchange the authorization "code" for an
 access token and use the access token to access protected resources
 for the benefit of the attacker, delivering protected resources to
 the attacker, or modifying protected resources as directed by the
 attacker.  If OAuth is used by the client to delegate authentication
 to a social site (e.g., as in the implementation of a "Login" button
 on a third-party social network site), the attacker can use the
 intercepted authorization "code" to log into the client as the user.

Lodderstedt, et al. Informational [Page 29] RFC 6819 OAuth 2.0 Security January 2013

 Note: Authenticating the client during authorization "code" exchange
 will not help to detect such an attack, as it is the legitimate
 client that obtains the tokens.
 Countermeasures:
 o  In order to prevent an attacker from impersonating the end-user's
    session, the redirect URI of the client should point to an HTTPS
    protected endpoint, and the browser should be utilized to
    authenticate this redirect URI using server authentication (see
    Section 5.1.2).

4.4.1.7. Threat: Authorization "code" Leakage through Counterfeit

        Client
 The attacker leverages the authorization "code" grant type in an
 attempt to get another user (victim) to log in, authorize access to
 his/her resources, and subsequently obtain the authorization "code"
 and inject it into a client application using the attacker's account.
 The goal is to associate an access authorization for resources of the
 victim with the user account of the attacker on a client site.
 The attacker abuses an existing client application and combines it
 with his own counterfeit client web site.  The attacker depends on
 the victim expecting the client application to request access to a
 certain resource server.  The victim, seeing only a normal request
 from an expected application, approves the request.  The attacker
 then uses the victim's authorization to gain access to the
 information unknowingly authorized by the victim.
 The attacker conducts the following flow:
 1.  The attacker accesses the client web site (or application) and
     initiates data access to a particular resource server.  The
     client web site in turn initiates an authorization request to the
     resource server's authorization server.  Instead of proceeding
     with the authorization process, the attacker modifies the
     authorization server end-user authorization URL as constructed by
     the client to include a redirect URI parameter referring to a web
     site under his control (attacker's web site).
 2.  The attacker tricks another user (the victim) into opening that
     modified end-user authorization URI and authorizing access (e.g.,
     via an email link or blog link).  The way the attacker achieves
     this goal is out of scope.
 3.  Having clicked the link, the victim is requested to authenticate
     and authorize the client site to have access.

Lodderstedt, et al. Informational [Page 30] RFC 6819 OAuth 2.0 Security January 2013

 4.  After completion of the authorization process, the authorization
     server redirects the user agent to the attacker's web site
     instead of the original client web site.
 5.  The attacker obtains the authorization "code" from his web site
     by means that are out of scope of this document.
 6.  He then constructs a redirect URI to the target web site (or
     application) based on the original authorization request's
     redirect URI and the newly obtained authorization "code", and
     directs his user agent to this URL.  The authorization "code" is
     injected into the original client site (or application).
 7.  The client site uses the authorization "code" to fetch a token
     from the authorization server and associates this token with the
     attacker's user account on this site.
 8.  The attacker may now access the victim's resources using the
     client site.
 Impact: The attacker gains access to the victim's resources as
 associated with his account on the client site.
 Countermeasures:
 o  The attacker will need to use another redirect URI for its
    authorization process rather than the target web site because it
    needs to intercept the flow.  So, if the authorization server
    associates the authorization "code" with the redirect URI of a
    particular end-user authorization and validates this redirect URI
    with the redirect URI passed to the token's endpoint, such an
    attack is detected (see Section 5.2.4.5).
 o  The authorization server may also enforce the usage and validation
    of pre-registered redirect URIs (see Section 5.2.3.5).  This will
    allow for early recognition of authorization "code" disclosure to
    counterfeit clients.
 o  For native applications, one could also consider using deployment-
    specific client ids and secrets (see Section 5.2.3.4), along with
    the binding of authorization "codes" to "client_ids" (see
    Section 5.2.4.4) to detect such an attack because the attacker
    does not have access to the deployment-specific secret.  Thus, he
    will not be able to exchange the authorization "code".

Lodderstedt, et al. Informational [Page 31] RFC 6819 OAuth 2.0 Security January 2013

 o  The client may consider using other flows that are not vulnerable
    to this kind of attack, such as the implicit grant type (see
    Section 4.4.2) or resource owner password credentials (see
    Section 4.4.3).

4.4.1.8. Threat: CSRF Attack against redirect-uri

 Cross-site request forgery (CSRF) is a web-based attack whereby HTTP
 requests are transmitted from a user that the web site trusts or has
 authenticated (e.g., via HTTP redirects or HTML forms).  CSRF attacks
 on OAuth approvals can allow an attacker to obtain authorization to
 OAuth protected resources without the consent of the user.
 This attack works against the redirect URI used in the authorization
 "code" flow.  An attacker could authorize an authorization "code" to
 their own protected resources on an authorization server.  He then
 aborts the redirect flow back to the client on his device and tricks
 the victim into executing the redirect back to the client.  The
 client receives the redirect, fetches the token(s) from the
 authorization server, and associates the victim's client session with
 the resources accessible using the token.
 Impact: The user accesses resources on behalf of the attacker.  The
 effective impact depends on the type of resource accessed.  For
 example, the user may upload private items to an attacker's
 resources.  Or, when using OAuth in 3rd-party login scenarios, the
 user may associate his client account with the attacker's identity at
 the external Identity Provider.  In this way, the attacker could
 easily access the victim's data at the client by logging in from
 another device with his credentials at the external Identity
 Provider.
 Countermeasures:
 o  The "state" parameter should be used to link the authorization
    request with the redirect URI used to deliver the access token
    (Section 5.3.5).
 o  Client developers and end users can be educated to not follow
    untrusted URLs.

Lodderstedt, et al. Informational [Page 32] RFC 6819 OAuth 2.0 Security January 2013

4.4.1.9. Threat: Clickjacking Attack against Authorization

 With clickjacking, a malicious site loads the target site in a
 transparent iFrame (see [iFrame]) overlaid on top of a set of dummy
 buttons that are carefully constructed to be placed directly under
 important buttons on the target site.  When a user clicks a visible
 button, they are actually clicking a button (such as an "Authorize"
 button) on the hidden page.
 Impact: An attacker can steal a user's authentication credentials and
 access their resources.
 Countermeasures:
 o  For newer browsers, avoidance of iFrames during authorization can
    be enforced on the server side by using the X-FRAME-OPTIONS header
    (Section 5.2.2.6).
 o  For older browsers, JavaScript frame-busting (see [Framebusting])
    techniques can be used but may not be effective in all browsers.

4.4.1.10. Threat: Resource Owner Impersonation

 When a client requests access to protected resources, the
 authorization flow normally involves the resource owner's explicit
 response to the access request, either granting or denying access to
 the protected resources.  A malicious client can exploit knowledge of
 the structure of this flow in order to gain authorization without the
 resource owner's consent, by transmitting the necessary requests
 programmatically and simulating the flow against the authorization
 server.  That way, the client may gain access to the victim's
 resources without her approval.  An authorization server will be
 vulnerable to this threat if it uses non-interactive authentication
 mechanisms or splits the authorization flow across multiple pages.
 The malicious client might embed a hidden HTML user agent, interpret
 the HTML forms sent by the authorization server, and automatically
 send the corresponding form HTTP POST requests.  As a prerequisite,
 the attacker must be able to execute the authorization process in the
 context of an already-authenticated session of the resource owner
 with the authorization server.  There are different ways to achieve
 this:
 o  The malicious client could abuse an existing session in an
    external browser or cross-browser cookies on the particular
    device.

Lodderstedt, et al. Informational [Page 33] RFC 6819 OAuth 2.0 Security January 2013

 o  The malicious client could also request authorization for an
    initial scope acceptable to the user and then silently abuse the
    resulting session in his browser instance to "silently" request
    another scope.
 o  Alternatively, the attacker might exploit an authorization
    server's ability to authenticate the resource owner automatically
    and without user interactions, e.g., based on certificates.
 In all cases, such an attack is limited to clients running on the
 victim's device, either within the user agent or as a native app.
 Please note: Such attacks cannot be prevented using CSRF
 countermeasures, since the attacker just "executes" the URLs as
 prepared by the authorization server including any nonce, etc.
 Countermeasures:
 Authorization servers should decide, based on an analysis of the risk
 associated with this threat, whether to detect and prevent this
 threat.
 In order to prevent such an attack, the authorization server may
 force a user interaction based on non-predictable input values as
 part of the user consent approval.  The authorization server could
 o  combine password authentication and user consent in a single form,
 o  make use of CAPTCHAs, or
 o  use one-time secrets sent out of band to the resource owner (e.g.,
    via text or instant message).
 Alternatively, in order to allow the resource owner to detect abuse,
 the authorization server could notify the resource owner of any
 approval by appropriate means, e.g., text or instant message, or
 email.

4.4.1.11. Threat: DoS Attacks That Exhaust Resources

 If an authorization server includes a nontrivial amount of entropy in
 authorization "codes" or access tokens (limiting the number of
 possible codes/tokens) and automatically grants either without user
 intervention and has no limit on codes or access tokens per user, an
 attacker could exhaust the pool of authorization "codes" by
 repeatedly directing the user's browser to request authorization
 "codes" or access tokens.

Lodderstedt, et al. Informational [Page 34] RFC 6819 OAuth 2.0 Security January 2013

 Countermeasures:
 o  The authorization server should consider limiting the number of
    access tokens granted per user.
 o  The authorization server should include a nontrivial amount of
    entropy in authorization "codes".

4.4.1.12. Threat: DoS Using Manufactured Authorization "codes"

 An attacker who owns a botnet can locate the redirect URIs of clients
 that listen on HTTP, access them with random authorization "codes",
 and cause a large number of HTTPS connections to be concentrated onto
 the authorization server.  This can result in a denial-of-service
 (DoS) attack on the authorization server.
 This attack can still be effective even when CSRF defense/the "state"
 parameter (see Section 4.4.1.8) is deployed on the client side.  With
 such a defense, the attacker might need to incur an additional HTTP
 request to obtain a valid CSRF code/"state" parameter.  This
 apparently cuts down the effectiveness of the attack by a factor of
 2.  However, if the HTTPS/HTTP cost ratio is higher than 2 (the cost
 factor is estimated to be around 3.5x at [SSL-Latency]), the attacker
 still achieves a magnification of resource utilization at the expense
 of the authorization server.
 Impact: There are a few effects that the attacker can accomplish with
 this OAuth flow that they cannot easily achieve otherwise.
 1.  Connection laundering: With the clients as the relay between the
     attacker and the authorization server, the authorization server
     learns little or no information about the identity of the
     attacker.  Defenses such as rate-limiting on the offending
     attacker machines are less effective because it is difficult to
     identify the attacking machines.  Although an attacker could also
     launder its connections through an anonymizing system such as
     Tor, the effectiveness of that approach depends on the capacity
     of the anonymizing system.  On the other hand, a potentially
     large number of OAuth clients could be utilized for this attack.
 2.  Asymmetric resource utilization: The attacker incurs the cost of
     an HTTP connection and causes an HTTPS connection to be made on
     the authorization server; the attacker can coordinate the timing
     of such HTTPS connections across multiple clients relatively
     easily.  Although the attacker could achieve something similar,
     say, by including an iFrame pointing to the HTTPS URL of the
     authorization server in an HTTP web page and luring web users to
     visit that page, timing attacks using such a scheme may be more

Lodderstedt, et al. Informational [Page 35] RFC 6819 OAuth 2.0 Security January 2013

     difficult, as it seems nontrivial to synchronize a large number
     of users to simultaneously visit a particular site under the
     attacker's control.
 Countermeasures:
 o  Though not a complete countermeasure by themselves, CSRF defense
    and the "state" parameter created with secure random codes should
    be deployed on the client side.  The client should forward the
    authorization "code" to the authorization server only after both
    the CSRF token and the "state" parameter are validated.
 o  If the client authenticates the user, either through a single-
    sign-on protocol or through local authentication, the client
    should suspend the access by a user account if the number of
    invalid authorization "codes" submitted by this user exceeds a
    certain threshold.
 o  The authorization server should send an error response to the
    client reporting an invalid authorization "code" and rate-limit or
    disallow connections from clients whose number of invalid requests
    exceeds a threshold.

4.4.1.13. Threat: Code Substitution (OAuth Login)

 An attacker could attempt to log into an application or web site
 using a victim's identity.  Applications relying on identity data
 provided by an OAuth protected service API to login users are
 vulnerable to this threat.  This pattern can be found in so-called
 "social login" scenarios.
 As a prerequisite, a resource server offers an API to obtain personal
 information about a user that could be interpreted as having obtained
 a user identity.  In this sense, the client is treating the resource
 server API as an "identity" API.  A client utilizes OAuth to obtain
 an access token for the identity API.  It then queries the identity
 API for an identifier and uses it to look up its internal user
 account data (login).  The client assumes that, because it was able
 to obtain information about the user, the user has been
 authenticated.
 If the client uses the grant type "code", the attacker needs to
 gather a valid authorization "code" of the respective victim from the
 same Identity Provider used by the target client application.  The
 attacker tricks the victim into logging into a malicious app (which
 may appear to be legitimate to the Identity Provider) using the same
 Identity Provider as the target application.  This results in the
 Identity Provider's authorization server issuing an authorization

Lodderstedt, et al. Informational [Page 36] RFC 6819 OAuth 2.0 Security January 2013

 "code" for the respective identity API.  The malicious app then sends
 this code to the attacker, which in turn triggers a login process
 within the target application.  The attacker now manipulates the
 authorization response and substitutes their code (bound to their
 identity) for the victim's code.  This code is then exchanged by the
 client for an access token, which in turn is accepted by the identity
 API, since the audience, with respect to the resource server, is
 correct.  But since the identifier returned by the identity API is
 determined by the identity in the access token (issued based on the
 victim's code), the attacker is logged into the target application
 under the victim's identity.
 Impact: The attacker gains access to an application and user-specific
 data within the application.
 Countermeasures:
 o  All clients must indicate their client ids with every request to
    exchange an authorization "code" for an access token.  The
    authorization server must validate whether the particular
    authorization "code" has been issued to the particular client.  If
    possible, the client shall be authenticated beforehand.
 o  Clients should use an appropriate protocol, such as OpenID (cf.
    [OPENID]) or SAML (cf. [OASIS.sstc-saml-bindings-1.1]) to
    implement user login.  Both support audience restrictions on
    clients.

4.4.2. Implicit Grant

 In the implicit grant type flow, the access token is directly
 returned to the client as a fragment part of the redirect URI.  It is
 assumed that the token is not sent to the redirect URI target, as
 HTTP user agents do not send the fragment part of URIs to HTTP
 servers.  Thus, an attacker cannot eavesdrop the access token on this
 communication path, and the token cannot leak through HTTP referrer
 headers.

4.4.2.1. Threat: Access Token Leak in Transport/Endpoints

 This token might be eavesdropped by an attacker.  The token is sent
 from the server to the client via a URI fragment of the redirect URI.
 If the communication is not secured or the endpoint is not secured,
 the token could be leaked by parsing the returned URI.
 Impact: The attacker would be able to assume the same rights granted
 by the token.

Lodderstedt, et al. Informational [Page 37] RFC 6819 OAuth 2.0 Security January 2013

 Countermeasures:
 o  The authorization server should ensure confidentiality (e.g.,
    using TLS) of the response from the authorization server to the
    client (see Section 5.1.1).

4.4.2.2. Threat: Access Token Leak in Browser History

 An attacker could obtain the token from the browser's history.  Note
 that this means the attacker needs access to the particular device.
 Countermeasures:
 o  Use short expiry time for tokens (see Section 5.1.5.3).  Reduced
    scope of the token may reduce the impact of that attack (see
    Section 5.1.5.1).
 o  Make responses non-cacheable.

4.4.2.3. Threat: Malicious Client Obtains Authorization

 A malicious client could attempt to obtain a token by fraud.
 The same countermeasures as for Section 4.4.1.4 are applicable,
 except client authentication.

4.4.2.4. Threat: Manipulation of Scripts

 A hostile party could act as the client web server and replace or
 modify the actual implementation of the client (script).  This could
 be achieved using DNS or ARP spoofing.  This applies to clients
 implemented within the web browser in a scripting language.
 Impact: The attacker could obtain user credential information and
 assume the full identity of the user.
 Countermeasures:
 o  The authorization server should authenticate the server from which
    scripts are obtained (see Section 5.1.2).
 o  The client should ensure that scripts obtained have not been
    altered in transport (see Section 5.1.1).

Lodderstedt, et al. Informational [Page 38] RFC 6819 OAuth 2.0 Security January 2013

 o  Introduce one-time, per-use secrets (e.g., "client_secret") values
    that can only be used by scripts in a small time window once
    loaded from a server.  The intention would be to reduce the
    effectiveness of copying client-side scripts for re-use in an
    attacker's modified code.

4.4.2.5. Threat: CSRF Attack against redirect-uri

 CSRF attacks (see Section 4.4.1.8) also work against the redirect URI
 used in the implicit grant flow.  An attacker could acquire an access
 token to their own protected resources.  He could then construct a
 redirect URI and embed their access token in that URI.  If he can
 trick the user into following the redirect URI and the client does
 not have protection against this attack, the user may have the
 attacker's access token authorized within their client.
 Impact: The user accesses resources on behalf of the attacker.  The
 effective impact depends on the type of resource accessed.  For
 example, the user may upload private items to an attacker's
 resources.  Or, when using OAuth in 3rd-party login scenarios, the
 user may associate his client account with the attacker's identity at
 the external Identity Provider.  In this way, the attacker could
 easily access the victim's data at the client by logging in from
 another device with his credentials at the external Identity
 Provider.
 Countermeasures:
 o  The "state" parameter should be used to link the authorization
    request with the redirect URI used to deliver the access token.
    This will ensure that the client is not tricked into completing
    any redirect callback unless it is linked to an authorization
    request initiated by the client.  The "state" parameter should not
    be guessable, and the client should be capable of keeping the
    "state" parameter secret.
 o  Client developers and end users can be educated to not follow
    untrusted URLs.

4.4.2.6. Threat: Token Substitution (OAuth Login)

 An attacker could attempt to log into an application or web site
 using a victim's identity.  Applications relying on identity data
 provided by an OAuth protected service API to login users are
 vulnerable to this threat.  This pattern can be found in so-called
 "social login" scenarios.

Lodderstedt, et al. Informational [Page 39] RFC 6819 OAuth 2.0 Security January 2013

 As a prerequisite, a resource server offers an API to obtain personal
 information about a user that could be interpreted as having obtained
 a user identity.  In this sense, the client is treating the resource
 server API as an "identity" API.  A client utilizes OAuth to obtain
 an access token for the identity API.  It then queries the identity
 API for an identifier and uses it to look up its internal user
 account data (login).  The client assumes that, because it was able
 to obtain information about the user, the user has been
 authenticated.
 To succeed, the attacker needs to gather a valid access token of the
 respective victim from the same Identity Provider used by the target
 client application.  The attacker tricks the victim into logging into
 a malicious app (which may appear to be legitimate to the Identity
 Provider) using the same Identity Provider as the target application.
 This results in the Identity Provider's authorization server issuing
 an access token for the respective identity API.  The malicious app
 then sends this access token to the attacker, which in turn triggers
 a login process within the target application.  The attacker now
 manipulates the authorization response and substitutes their access
 token (bound to their identity) for the victim's access token.  This
 token is accepted by the identity API, since the audience, with
 respect to the resource server, is correct.  But since the identifier
 returned by the identity API is determined by the identity in the
 access token, the attacker is logged into the target application
 under the victim's identity.
 Impact: The attacker gains access to an application and user-specific
 data within the application.
 Countermeasures:
 o  Clients should use an appropriate protocol, such as OpenID (cf.
    [OPENID]) or SAML (cf. [OASIS.sstc-saml-bindings-1.1]) to
    implement user login.  Both support audience restrictions on
    clients.

4.4.3. Resource Owner Password Credentials

 The resource owner password credentials grant type (see [RFC6749],
 Section 4.3), often used for legacy/migration reasons, allows a
 client to request an access token using an end-user's user id and
 password along with its own credential.  This grant type has higher
 risk because it maintains the UID/password anti-pattern.
 Additionally, because the user does not have control over the
 authorization process, clients using this grant type are not limited

Lodderstedt, et al. Informational [Page 40] RFC 6819 OAuth 2.0 Security January 2013

 by scope but instead have potentially the same capabilities as the
 user themselves.  As there is no authorization step, the ability to
 offer token revocation is bypassed.
 Because passwords are often used for more than 1 service, this
 anti-pattern may also put at risk whatever else is accessible with
 the supplied credential.  Additionally, any easily derived equivalent
 (e.g., joe@example.com and joe@example.net) might easily allow
 someone to guess that the same password can be used elsewhere.
 Impact: The resource server can only differentiate scope based on the
 access token being associated with a particular client.  The client
 could also acquire long-lived tokens and pass them up to an
 attacker's web service for further abuse.  The client, eavesdroppers,
 or endpoints could eavesdrop the user id and password.
 Countermeasures:
 o  Except for migration reasons, minimize use of this grant type.
 o  The authorization server should validate the client id associated
    with the particular refresh token with every refresh request
    (Section 5.2.2.2).
 o  As per the core OAuth specification, the authorization server must
    ensure that these transmissions are protected using transport-
    layer mechanisms such as TLS (see Section 5.1.1).
 o  Rather than encouraging users to use a UID and password, service
    providers should instead encourage users not to use the same
    password for multiple services.
 o  Limit use of resource owner password credential grants to
    scenarios where the client application and the authorizing service
    are from the same organization.

4.4.3.1. Threat: Accidental Exposure of Passwords at Client Site

 If the client does not provide enough protection, an attacker or
 disgruntled employee could retrieve the passwords for a user.
 Countermeasures:
 o  Use other flows that do not rely on the client's cooperation for
    secure resource owner credential handling.
 o  Use digest authentication instead of plaintext credential
    processing.

Lodderstedt, et al. Informational [Page 41] RFC 6819 OAuth 2.0 Security January 2013

 o  Obfuscate passwords in logs.

4.4.3.2. Threat: Client Obtains Scopes without End-User Authorization

 All interaction with the resource owner is performed by the client.
 Thus it might, intentionally or unintentionally, happen that the
 client obtains a token with scope unknown for, or unintended by, the
 resource owner.  For example, the resource owner might think the
 client needs and acquires read-only access to its media storage only
 but the client tries to acquire an access token with full access
 permissions.
 Countermeasures:
 o  Use other flows that do not rely on the client's cooperation for
    resource owner interaction.
 o  The authorization server may generally restrict the scope of
    access tokens (Section 5.1.5.1) issued by this flow.  If the
    particular client is trustworthy and can be authenticated in a
    reliable way, the authorization server could relax that
    restriction.  Resource owners may prescribe (e.g., in their
    preferences) what the maximum scope is for clients using this
    flow.
 o  The authorization server could notify the resource owner by an
    appropriate medium, e.g., email, of the grant issued (see
    Section 5.1.3).

4.4.3.3. Threat: Client Obtains Refresh Token through Automatic

        Authorization
 All interaction with the resource owner is performed by the client.
 Thus it might, intentionally or unintentionally, happen that the
 client obtains a long-term authorization represented by a refresh
 token even if the resource owner did not intend so.
 Countermeasures:
 o  Use other flows that do not rely on the client's cooperation for
    resource owner interaction.
 o  The authorization server may generally refuse to issue refresh
    tokens in this flow (see Section 5.2.2.1).  If the particular
    client is trustworthy and can be authenticated in a reliable way
    (see client authentication), the authorization server could relax

Lodderstedt, et al. Informational [Page 42] RFC 6819 OAuth 2.0 Security January 2013

    that restriction.  Resource owners may allow or deny (e.g., in
    their preferences) the issuing of refresh tokens using this flow
    as well.
 o  The authorization server could notify the resource owner by an
    appropriate medium, e.g., email, of the refresh token issued (see
    Section 5.1.3).

4.4.3.4. Threat: Obtaining User Passwords on Transport

 An attacker could attempt to eavesdrop the transmission of end-user
 credentials with the grant type "password" between the client and
 server.
 Impact: Disclosure of a single end-user's password.
 Countermeasures:
 o  Ensure confidentiality of requests (Section 5.1.1).
 o  Use alternative authentication means that do not require the
    sending of plaintext credentials over the wire (e.g., Hash-based
    Message Authentication Code).

4.4.3.5. Threat: Obtaining User Passwords from Authorization Server

        Database
 An attacker may obtain valid username/password combinations from the
 authorization server's database by gaining access to the database or
 launching a SQL injection attack.
 Impact: Disclosure of all username/password combinations.  The impact
 may exceed the domain of the authorization server, since many users
 tend to use the same credentials on different services.
 Countermeasures:
 o  Enforce credential storage protection best practices
    (Section 5.1.4.1).

4.4.3.6. Threat: Online Guessing

 An attacker may try to guess valid username/password combinations
 using the grant type "password".
 Impact: Revelation of a single username/password combination.

Lodderstedt, et al. Informational [Page 43] RFC 6819 OAuth 2.0 Security January 2013

 Countermeasures:
 o  Utilize secure password policy (Section 5.1.4.2.1).
 o  Lock accounts (Section 5.1.4.2.3).
 o  Use tar pit (Section 5.1.4.2.4).
 o  Use CAPTCHAs (Section 5.1.4.2.5).
 o  Consider not using the grant type "password".
 o  Client authentication (see Section 5.2.3) will provide another
    authentication factor and thus hinder the attack.

4.4.4. Client Credentials

 Client credentials (see [RFC6749], Section 3) consist of an
 identifier (not secret) combined with an additional means (such as a
 matching client secret) of authenticating a client.  The threats to
 this grant type are similar to those described in Section 4.4.3.

4.5. Refreshing an Access Token

4.5.1. Threat: Eavesdropping Refresh Tokens from Authorization Server

 An attacker may eavesdrop refresh tokens when they are transmitted
 from the authorization server to the client.
 Countermeasures:
 o  As per the core OAuth spec, the authorization servers must ensure
    that these transmissions are protected using transport-layer
    mechanisms such as TLS (see Section 5.1.1).
 o  If end-to-end confidentiality cannot be guaranteed, reducing scope
    (see Section 5.1.5.1) and expiry time (see Section 5.1.5.3) for
    issued access tokens can be used to reduce the damage in case of
    leaks.

4.5.2. Threat: Obtaining Refresh Token from Authorization Server

      Database
 This threat is applicable if the authorization server stores refresh
 tokens as handles in a database.  An attacker may obtain refresh
 tokens from the authorization server's database by gaining access to
 the database or launching a SQL injection attack.

Lodderstedt, et al. Informational [Page 44] RFC 6819 OAuth 2.0 Security January 2013

 Impact: Disclosure of all refresh tokens.
 Countermeasures:
 o  Enforce credential storage protection best practices
    (Section 5.1.4.1).
 o  Bind token to client id, if the attacker cannot obtain the
    required id and secret (Section 5.1.5.8).

4.5.3. Threat: Obtaining Refresh Token by Online Guessing

 An attacker may try to guess valid refresh token values and send it
 using the grant type "refresh_token" in order to obtain a valid
 access token.
 Impact: Exposure of a single refresh token and derivable access
 tokens.
 Countermeasures:
 o  For handle-based designs (Section 5.1.4.2.2).
 o  For assertion-based designs (Section 5.1.5.9).
 o  Bind token to client id, because the attacker would guess the
    matching client id, too (see Section 5.1.5.8).
 o  Authenticate the client; this adds another element that the
    attacker has to guess (see Section 5.2.3.4).

4.5.4. Threat: Refresh Token Phishing by Counterfeit Authorization

      Server
 An attacker could try to obtain valid refresh tokens by proxying
 requests to the authorization server.  Given the assumption that the
 authorization server URL is well-known at development time or can at
 least be obtained from a well-known resource server, the attacker
 must utilize some kind of spoofing in order to succeed.
 Countermeasures:
 o  Utilize server authentication (as described in Section 5.1.2).

Lodderstedt, et al. Informational [Page 45] RFC 6819 OAuth 2.0 Security January 2013

4.6. Accessing Protected Resources

4.6.1. Threat: Eavesdropping Access Tokens on Transport

 An attacker could try to obtain a valid access token on transport
 between the client and resource server.  As access tokens are shared
 secrets between the authorization server and resource server, they
 should be treated with the same care as other credentials (e.g., end-
 user passwords).
 Countermeasures:
 o  Access tokens sent as bearer tokens should not be sent in the
    clear over an insecure channel.  As per the core OAuth spec,
    transmission of access tokens must be protected using transport-
    layer mechanisms such as TLS (see Section 5.1.1).
 o  A short lifetime reduces impact in case tokens are compromised
    (see Section 5.1.5.3).
 o  The access token can be bound to a client's identifier and require
    the client to prove legitimate ownership of the token to the
    resource server (see Section 5.4.2).

4.6.2. Threat: Replay of Authorized Resource Server Requests

 An attacker could attempt to replay valid requests in order to obtain
 or to modify/destroy user data.
 Countermeasures:
 o  The resource server should utilize transport security measures
    (e.g., TLS) in order to prevent such attacks (see Section 5.1.1).
    This would prevent the attacker from capturing valid requests.
 o  Alternatively, the resource server could employ signed requests
    (see Section 5.4.3) along with nonces and timestamps in order to
    uniquely identify requests.  The resource server should detect and
    refuse every replayed request.

4.6.3. Threat: Guessing Access Tokens

 Where the token is a handle, the attacker may attempt to guess the
 access token values based on knowledge they have from other access
 tokens.
 Impact: Access to a single user's data.

Lodderstedt, et al. Informational [Page 46] RFC 6819 OAuth 2.0 Security January 2013

 Countermeasures:
 o  Handle tokens should have a reasonable level of entropy (see
    Section 5.1.4.2.2) in order to make guessing a valid token value
    infeasible.
 o  Assertion (or self-contained token) token contents should be
    protected by a digital signature (see Section 5.1.5.9).
 o  Security can be further strengthened by using a short access token
    duration (see Sections 5.1.5.2 and 5.1.5.3).

4.6.4. Threat: Access Token Phishing by Counterfeit Resource Server

 An attacker may pretend to be a particular resource server and to
 accept tokens from a particular authorization server.  If the client
 sends a valid access token to this counterfeit resource server, the
 server in turn may use that token to access other services on behalf
 of the resource owner.
 Countermeasures:
 o  Clients should not make authenticated requests with an access
    token to unfamiliar resource servers, regardless of the presence
    of a secure channel.  If the resource server URL is well-known to
    the client, it may authenticate the resource servers (see
    Section 5.1.2).
 o  Associate the endpoint URL of the resource server the client
    talked to with the access token (e.g., in an audience field) and
    validate the association at a legitimate resource server.  The
    endpoint URL validation policy may be strict (exact match) or more
    relaxed (e.g., same host).  This would require telling the
    authorization server about the resource server endpoint URL in the
    authorization process.
 o  Associate an access token with a client and authenticate the
    client with resource server requests (typically via a signature,
    in order to not disclose a secret to a potential attacker).  This
    prevents the attack because the counterfeit server is assumed to
    lack the capability to correctly authenticate on behalf of the
    legitimate client to the resource server (Section 5.4.2).
 o  Restrict the token scope (see Section 5.1.5.1) and/or limit the
    token to a certain resource server (Section 5.1.5.5).

Lodderstedt, et al. Informational [Page 47] RFC 6819 OAuth 2.0 Security January 2013

4.6.5. Threat: Abuse of Token by Legitimate Resource Server or Client

 A legitimate resource server could attempt to use an access token to
 access another resource server.  Similarly, a client could try to use
 a token obtained for one server on another resource server.
 Countermeasures:
 o  Tokens should be restricted to particular resource servers (see
    Section 5.1.5.5).

4.6.6. Threat: Leak of Confidential Data in HTTP Proxies

 An OAuth HTTP authentication scheme as discussed in [RFC6749] is
 optional.  However, [RFC2616] relies on the Authorization and
 WWW-Authenticate headers to distinguish authenticated content so that
 it can be protected.  Proxies and caches, in particular, may fail to
 adequately protect requests not using these headers.  For example,
 private authenticated content may be stored in (and thus be
 retrievable from) publicly accessible caches.
 Countermeasures:
 o  Clients and resource servers not using an OAuth HTTP
    authentication scheme (see Section 5.4.1) should take care to use
    Cache-Control headers to minimize the risk that authenticated
    content is not protected.  Such clients should send a
    Cache-Control header containing the "no-store" option [RFC2616].
    Resource server success (2XX status) responses to these requests
    should contain a Cache-Control header with the "private" option
    [RFC2616].
 o  Reducing scope (see Section 5.1.5.1) and expiry time
    (Section 5.1.5.3) for access tokens can be used to reduce the
    damage in case of leaks.

4.6.7. Threat: Token Leakage via Log Files and HTTP Referrers

 If access tokens are sent via URI query parameters, such tokens may
 leak to log files and the HTTP "referer".
 Countermeasures:
 o  Use Authorization headers or POST parameters instead of URI
    request parameters (see Section 5.4.1).
 o  Set logging configuration appropriately.

Lodderstedt, et al. Informational [Page 48] RFC 6819 OAuth 2.0 Security January 2013

 o  Prevent unauthorized persons from access to system log files (see
    Section 5.1.4.1.1).
 o  Abuse of leaked access tokens can be prevented by enforcing
    authenticated requests (see Section 5.4.2).
 o  The impact of token leakage may be reduced by limiting scope (see
    Section 5.1.5.1) and duration (see Section 5.1.5.3) and by
    enforcing one-time token usage (see Section 5.1.5.4).

5. Security Considerations

 This section describes the countermeasures as recommended to mitigate
 the threats described in Section 4.

5.1. General

 This section covers considerations that apply generally across all
 OAuth components (client, resource server, token server, and user
 agents).

5.1.1. Ensure Confidentiality of Requests

 This is applicable to all requests sent from the client to the
 authorization server or resource server.  While OAuth provides a
 mechanism for verifying the integrity of requests, it provides no
 guarantee of request confidentiality.  Unless further precautions are
 taken, eavesdroppers will have full access to request content and may
 be able to mount interception or replay attacks by using the contents
 of requests, e.g., secrets or tokens.
 Attacks can be mitigated by using transport-layer mechanisms such as
 TLS [RFC5246].  A virtual private network (VPN), e.g., based on IPsec
 VPNs [RFC4301], may be considered as well.
 Note: This document assumes end-to-end TLS protected connections
 between the respective protocol entities.  Deployments deviating from
 this assumption by offloading TLS in between (e.g., on the data
 center edge) must refine this threat model in order to account for
 the additional (mainly insider) threat this may cause.
 This is a countermeasure against the following threats:
 o  Replay of access tokens obtained on the token's endpoint or the
    resource server's endpoint
 o  Replay of refresh tokens obtained on the token's endpoint

Lodderstedt, et al. Informational [Page 49] RFC 6819 OAuth 2.0 Security January 2013

 o  Replay of authorization "codes" obtained on the token's endpoint
    (redirect?)
 o  Replay of user passwords and client secrets

5.1.2. Utilize Server Authentication

 HTTPS server authentication or similar means can be used to
 authenticate the identity of a server.  The goal is to reliably bind
 the fully qualified domain name of the server to the public key
 presented by the server during connection establishment (see
 [RFC2818]).
 The client should validate the binding of the server to its domain
 name.  If the server fails to prove that binding, the communication
 is considered a man-in-the-middle attack.  This security measure
 depends on the certification authorities the client trusts for that
 purpose.  Clients should carefully select those trusted CAs and
 protect the storage for trusted CA certificates from modifications.
 This is a countermeasure against the following threats:
 o  Spoofing
 o  Proxying
 o  Phishing by counterfeit servers

5.1.3. Always Keep the Resource Owner Informed

 Transparency to the resource owner is a key element of the OAuth
 protocol.  The user should always be in control of the authorization
 processes and get the necessary information to make informed
 decisions.  Moreover, user involvement is a further security
 countermeasure.  The user can probably recognize certain kinds of
 attacks better than the authorization server.  Information can be
 presented/exchanged during the authorization process, after the
 authorization process, and every time the user wishes to get informed
 by using techniques such as:
 o  User consent forms.
 o  Notification messages (e.g., email, SMS, ...).  Note that
    notifications can be a phishing vector.  Messages should be such
    that look-alike phishing messages cannot be derived from them.

Lodderstedt, et al. Informational [Page 50] RFC 6819 OAuth 2.0 Security January 2013

 o  Activity/event logs.
 o  User self-care applications or portals.

5.1.4. Credentials

 This section describes countermeasures used to protect all kinds of
 credentials from unauthorized access and abuse.  Credentials are
 long-term secrets, such as client secrets and user passwords as well
 as all kinds of tokens (refresh and access tokens) or authorization
 "codes".

5.1.4.1. Enforce Credential Storage Protection Best Practices

 Administrators should undertake industry best practices to protect
 the storage of credentials (for example, see [OWASP]).  Such
 practices may include but are not limited to the following
 sub-sections.

5.1.4.1.1. Enforce Standard System Security Means

 A server system may be locked down so that no attacker may get access
 to sensitive configuration files and databases.

5.1.4.1.2. Enforce Standard SQL Injection Countermeasures

 If a client identifier or other authentication component is queried
 or compared against a SQL database, it may become possible for an
 injection attack to occur if parameters received are not validated
 before submission to the database.
 o  Ensure that server code is using the minimum database privileges
    possible to reduce the "surface" of possible attacks.
 o  Avoid dynamic SQL using concatenated input.  If possible, use
    static SQL.
 o  When using dynamic SQL, parameterize queries using bind arguments.
    Bind arguments eliminate the possibility of SQL injections.
 o  Filter and sanitize the input.  For example, if an identifier has
    a known format, ensure that the supplied value matches the
    identifier syntax rules.

Lodderstedt, et al. Informational [Page 51] RFC 6819 OAuth 2.0 Security January 2013

5.1.4.1.3. No Cleartext Storage of Credentials

 The authorization server should not store credentials in clear text.
 Typical approaches are to store hashes instead or to encrypt
 credentials.  If the credential lacks a reasonable entropy level
 (because it is a user password), an additional salt will harden the
 storage to make offline dictionary attacks more difficult.
 Note: Some authentication protocols require the authorization server
 to have access to the secret in the clear.  Those protocols cannot be
 implemented if the server only has access to hashes.  Credentials
 should be strongly encrypted in those cases.

5.1.4.1.4. Encryption of Credentials

 For client applications, insecurely persisted client credentials are
 easy targets for attackers to obtain.  Store client credentials using
 an encrypted persistence mechanism such as a keystore or database.
 Note that compiling client credentials directly into client code
 makes client applications vulnerable to scanning as well as difficult
 to administer should client credentials change over time.

5.1.4.1.5. Use of Asymmetric Cryptography

 Usage of asymmetric cryptography will free the authorization server
 of the obligation to manage credentials.

5.1.4.2. Online Attacks on Secrets

5.1.4.2.1. Utilize Secure Password Policy

 The authorization server may decide to enforce a complex user
 password policy in order to increase the user passwords' entropy to
 hinder online password attacks.  Note that too much complexity can
 increase the likelihood that users re-use passwords or write them
 down, or otherwise store them insecurely.

5.1.4.2.2. Use High Entropy for Secrets

 When creating secrets not intended for usage by human users (e.g.,
 client secrets or token handles), the authorization server should
 include a reasonable level of entropy in order to mitigate the risk
 of guessing attacks.  The token value should be >=128 bits long and
 constructed from a cryptographically strong random or pseudo-random
 number sequence (see [RFC4086] for best current practice) generated
 by the authorization server.

Lodderstedt, et al. Informational [Page 52] RFC 6819 OAuth 2.0 Security January 2013

5.1.4.2.3. Lock Accounts

 Online attacks on passwords can be mitigated by locking the
 respective accounts after a certain number of failed attempts.
 Note: This measure can be abused to lock down legitimate service
 users.

5.1.4.2.4. Use Tar Pit

 The authorization server may react on failed attempts to authenticate
 by username/password by temporarily locking the respective account
 and delaying the response for a certain duration.  This duration may
 increase with the number of failed attempts.  The objective is to
 slow the attacker's attempts on a certain username down.
 Note: This may require a more complex and stateful design of the
 authorization server.

5.1.4.2.5. Use CAPTCHAs

 The idea is to prevent programs from automatically checking a huge
 number of passwords, by requiring human interaction.
 Note: This has a negative impact on user experience.

5.1.5. Tokens (Access, Refresh, Code)

5.1.5.1. Limit Token Scope

 The authorization server may decide to reduce or limit the scope
 associated with a token.  The basis of this decision is out of scope;
 examples are:
 o  a client-specific policy, e.g., issue only less powerful tokens to
    public clients,
 o  a service-specific policy, e.g., it is a very sensitive service,
 o  a resource-owner-specific setting, or
 o  combinations of such policies and preferences.

Lodderstedt, et al. Informational [Page 53] RFC 6819 OAuth 2.0 Security January 2013

 The authorization server may allow different scopes dependent on the
 grant type.  For example, end-user authorization via direct
 interaction with the end user (authorization "code") might be
 considered more reliable than direct authorization via grant type
 "username"/"password".  This means will reduce the impact of the
 following threats:
 o  token leakage
 o  token issuance to malicious software
 o  unintended issuance of powerful tokens with resource owner
    credentials flow

5.1.5.2. Determine Expiration Time

 Tokens should generally expire after a reasonable duration.  This
 complements and strengthens other security measures (such as
 signatures) and reduces the impact of all kinds of token leaks.
 Depending on the risk associated with token leakage, tokens may
 expire after a few minutes (e.g., for payment transactions) or stay
 valid for hours (e.g., read access to contacts).
 The expiration time is determined by several factors, including:
 o  risk associated with token leakage,
 o  duration of the underlying access grant,
 o  duration until the modification of an access grant should take
    effect, and
 o  time required for an attacker to guess or produce a valid token.

5.1.5.3. Use Short Expiration Time

 A short expiration time for tokens is a means of protection against
 the following threats:
 o  replay
 o  token leak (a short expiration time will reduce impact)
 o  online guessing (a short expiration time will reduce the
    likelihood of success)

Lodderstedt, et al. Informational [Page 54] RFC 6819 OAuth 2.0 Security January 2013

 Note: Short token duration requires more precise clock
 synchronization between the authorization server and resource server.
 Furthermore, shorter duration may require more token refreshes
 (access token) or repeated end-user authorization processes
 (authorization "code" and refresh token).

5.1.5.4. Limit Number of Usages or One-Time Usage

 The authorization server may restrict the number of requests or
 operations that can be performed with a certain token.  This
 mechanism can be used to mitigate the following threats:
 o  replay of tokens
 o  guessing
 For example, if an authorization server observes more than one
 attempt to redeem an authorization "code", the authorization server
 may want to revoke all access tokens granted based on the
 authorization "code" as well as reject the current request.
 As with the authorization "code", access tokens may also have a
 limited number of operations.  This either forces client applications
 to re-authenticate and use a refresh token to obtain a fresh access
 token, or forces the client to re-authorize the access token by
 involving the user.

5.1.5.5. Bind Tokens to a Particular Resource Server (Audience)

 Authorization servers in multi-service environments may consider
 issuing tokens with different content to different resource servers
 and to explicitly indicate in the token the target server to which a
 token is intended to be sent.  SAML assertions (see
 [OASIS.saml-core-2.0-os]) use the Audience element for this purpose.
 This countermeasure can be used in the following situations:
 o  It reduces the impact of a successful replay attempt, since the
    token is applicable to a single resource server only.
 o  It prevents abuse of a token by a rogue resource server or client,
    since the token can only be used on that server.  It is rejected
    by other servers.
 o  It reduces the impact of leakage of a valid token to a counterfeit
    resource server.

Lodderstedt, et al. Informational [Page 55] RFC 6819 OAuth 2.0 Security January 2013

5.1.5.6. Use Endpoint Address as Token Audience

 This may be used to indicate to a resource server which endpoint URL
 has been used to obtain the token.  This measure will allow the
 detection of requests from a counterfeit resource server, since such
 a token will contain the endpoint URL of that server.

5.1.5.7. Use Explicitly Defined Scopes for Audience and Tokens

 Deployments may consider only using tokens with explicitly defined
 scopes, where every scope is associated with a particular resource
 server.  This approach can be used to mitigate attacks where a
 resource server or client uses a token for a different purpose than
 the one intended.

5.1.5.8. Bind Token to Client id

 An authorization server may bind a token to a certain client
 identifier.  This identifier should be validated for every request
 with that token.  This technique can be used to
 o  detect token leakage and
 o  prevent token abuse.
 Note: Validating the client identifier may require the target server
 to authenticate the client's identifier.  This authentication can be
 based on secrets managed independently of the token (e.g.,
 pre-registered client id/secret on authorization server) or sent with
 the token itself (e.g., as part of the encrypted token content).

5.1.5.9. Sign Self-Contained Tokens

 Self-contained tokens should be signed in order to detect any attempt
 to modify or produce faked tokens (e.g., Hash-based Message
 Authentication Code or digital signatures).

5.1.5.10. Encrypt Token Content

 Self-contained tokens may be encrypted for confidentiality reasons or
 to protect system internal data.  Depending on token format, keys
 (e.g., symmetric keys) may have to be distributed between server
 nodes.  The method of distribution should be defined by the token and
 the encryption used.

Lodderstedt, et al. Informational [Page 56] RFC 6819 OAuth 2.0 Security January 2013

5.1.5.11. Adopt a Standard Assertion Format

 For service providers intending to implement an assertion-based token
 design, it is highly recommended to adopt a standard assertion format
 (such as SAML [OASIS.saml-core-2.0-os] or the JavaScript Object
 Notation Web Token (JWT) [OAuth-JWT]).

5.1.6. Access Tokens

 The following measures should be used to protect access tokens:
 o  Keep them in transient memory (accessible by the client
    application only).
 o  Pass tokens securely using secure transport (TLS).
 o  Ensure that client applications do not share tokens with 3rd
    parties.

5.2. Authorization Server

 This section describes considerations related to the OAuth
 authorization server endpoint.

5.2.1. Authorization "codes"

5.2.1.1. Automatic Revocation of Derived Tokens If Abuse Is Detected

 If an authorization server observes multiple attempts to redeem an
 authorization grant (e.g., such as an authorization "code"), the
 authorization server may want to revoke all tokens granted based on
 the authorization grant.

5.2.2. Refresh Tokens

5.2.2.1. Restricted Issuance of Refresh Tokens

 The authorization server may decide, based on an appropriate policy,
 not to issue refresh tokens.  Since refresh tokens are long-term
 credentials, they may be subject to theft.  For example, if the
 authorization server does not trust a client to securely store such
 tokens, it may refuse to issue such a client a refresh token.

Lodderstedt, et al. Informational [Page 57] RFC 6819 OAuth 2.0 Security January 2013

5.2.2.2. Binding of Refresh Token to "client_id"

 The authorization server should match every refresh token to the
 identifier of the client to whom it was issued.  The authorization
 server should check that the same "client_id" is present for every
 request to refresh the access token.  If possible (e.g., confidential
 clients), the authorization server should authenticate the respective
 client.
 This is a countermeasure against refresh token theft or leakage.
 Note: This binding should be protected from unauthorized
 modifications.

5.2.2.3. Refresh Token Rotation

 Refresh token rotation is intended to automatically detect and
 prevent attempts to use the same refresh token in parallel from
 different apps/devices.  This happens if a token gets stolen from the
 client and is subsequently used by both the attacker and the
 legitimate client.  The basic idea is to change the refresh token
 value with every refresh request in order to detect attempts to
 obtain access tokens using old refresh tokens.  Since the
 authorization server cannot determine whether the attacker or the
 legitimate client is trying to access, in case of such an access
 attempt the valid refresh token and the access authorization
 associated with it are both revoked.
 The OAuth specification supports this measure in that the token's
 response allows the authorization server to return a new refresh
 token even for requests with grant type "refresh_token".
 Note: This measure may cause problems in clustered environments,
 since usage of the currently valid refresh token must be ensured.  In
 such an environment, other measures might be more appropriate.

5.2.2.4. Revocation of Refresh Tokens

 The authorization server may allow clients or end users to explicitly
 request the invalidation of refresh tokens.  A mechanism to revoke
 tokens is specified in [OAuth-REVOCATION].

Lodderstedt, et al. Informational [Page 58] RFC 6819 OAuth 2.0 Security January 2013

 This is a countermeasure against:
 o  device theft,
 o  impersonation of a resource owner, or
 o  suspected compromised client applications.

5.2.2.5. Device Identification

 The authorization server may require the binding of authentication
 credentials to a device identifier.  The International Mobile Station
 Equipment Identity [IMEI] is one example of such an identifier; there
 are also operating system-specific identifiers.  The authorization
 server could include such an identifier when authenticating user
 credentials in order to detect token theft from a particular device.
 Note: Any implementation should consider potential privacy
 implications of using device identifiers.

5.2.2.6. X-FRAME-OPTIONS Header

 For newer browsers, avoidance of iFrames can be enforced on the
 server side by using the X-FRAME-OPTIONS header (see
 [X-Frame-Options]).  This header can have two values, "DENY" and
 "SAMEORIGIN", which will block any framing or any framing by sites
 with a different origin, respectively.  The value "ALLOW-FROM"
 specifies a list of trusted origins that iFrames may originate from.
 This is a countermeasure against the following threat:
 o  Clickjacking attacks

5.2.3. Client Authentication and Authorization

 As described in Section 3 (Security Features), clients are
 identified, authenticated, and authorized for several purposes, such
 as to:
 o  Collate requests to the same client,
 o  Indicate to the user that the client is recognized by the
    authorization server,
 o  Authorize access of clients to certain features on the
    authorization server or resource server, and
 o  Log a client identifier to log files for analysis or statistics.

Lodderstedt, et al. Informational [Page 59] RFC 6819 OAuth 2.0 Security January 2013

 Due to the different capabilities and characteristics of the
 different client types, there are different ways to support these
 objectives, which will be described in this section.  Authorization
 server providers should be aware of the security policy and
 deployment of a particular client and adapt its treatment
 accordingly.  For example, one approach could be to treat all clients
 as less trustworthy and unsecure.  On the other extreme, a service
 provider could activate every client installation individually by an
 administrator and in that way gain confidence in the identity of the
 software package and the security of the environment in which the
 client is installed.  There are several approaches in between.

5.2.3.1. Don't Issue Secrets to Clients with Inappropriate Security

        Policy
 Authorization servers should not issue secrets to clients that cannot
 protect secrets ("public" clients).  This reduces the probability of
 the server treating the client as strongly authenticated.
 For example, it is of limited benefit to create a single client id
 and secret that are shared by all installations of a native
 application.  Such a scenario requires that this secret must be
 transmitted from the developer via the respective distribution
 channel, e.g., an application market, to all installations of the
 application on end-user devices.  A secret, burned into the source
 code of the application or an associated resource bundle, is not
 protected from reverse engineering.  Secondly, such secrets cannot be
 revoked, since this would immediately put all installations out of
 work.  Moreover, since the authorization server cannot really trust
 the client's identifier, it would be dangerous to indicate to end
 users the trustworthiness of the client.
 There are other ways to achieve a reasonable security level, as
 described in the following sections.

5.2.3.2. Require User Consent for Public Clients without Secret

 Authorization servers should not allow automatic authorization for
 public clients.  The authorization server may issue an individual
 client id but should require that all authorizations are approved by
 the end user.  For clients without secrets, this is a countermeasure
 against the following threat:
 o  Impersonation of public client applications.

Lodderstedt, et al. Informational [Page 60] RFC 6819 OAuth 2.0 Security January 2013

5.2.3.3. Issue a "client_id" Only in Combination with "redirect_uri"

 The authorization server may issue a "client_id" and bind the
 "client_id" to a certain pre-configured "redirect_uri".  Any
 authorization request with another redirect URI is refused
 automatically.  Alternatively, the authorization server should not
 accept any dynamic redirect URI for such a "client_id" and instead
 should always redirect to the well-known pre-configured redirect URI.
 This is a countermeasure for clients without secrets against the
 following threats:
 o  Cross-site scripting attacks
 o  Impersonation of public client applications

5.2.3.4. Issue Installation-Specific Client Secrets

 An authorization server may issue separate client identifiers and
 corresponding secrets to the different installations of a particular
 client (i.e., software package).  The effect of such an approach
 would be to turn otherwise "public" clients back into "confidential"
 clients.
 For web applications, this could mean creating one "client_id" and
 "client_secret" for each web site on which a software package is
 installed.  So, the provider of that particular site could request a
 client id and secret from the authorization server during the setup
 of the web site.  This would also allow the validation of some of the
 properties of that web site, such as redirect URI, web site URL, and
 whatever else proves useful.  The web site provider has to ensure the
 security of the client secret on the site.
 For native applications, things are more complicated because every
 copy of a particular application on any device is a different
 installation.  Installation-specific secrets in this scenario will
 require obtaining a "client_id" and "client_secret" either
 1.  during the download process from the application market, or
 2.  during installation on the device.
 Either approach will require an automated mechanism for issuing
 client ids and secrets, which is currently not defined by OAuth.
 The first approach would allow the achievement of a certain level of
 trust in the authenticity of the application, whereas the second
 option only allows the authentication of the installation but not the
 validation of properties of the client.  But this would at least help

Lodderstedt, et al. Informational [Page 61] RFC 6819 OAuth 2.0 Security January 2013

 to prevent several replay attacks.  Moreover, installation-specific
 "client_ids" and secrets allow the selective revocation of all
 refresh tokens of a specific installation at once.

5.2.3.5. Validate Pre-Registered "redirect_uri"

 An authorization server should require all clients to register their
 "redirect_uri", and the "redirect_uri" should be the full URI as
 defined in [RFC6749].  The way that this registration is performed is
 out of scope of this document.  As per the core spec, every actual
 redirect URI sent with the respective "client_id" to the end-user
 authorization endpoint must match the registered redirect URI.  Where
 it does not match, the authorization server should assume that the
 inbound GET request has been sent by an attacker and refuse it.
 Note: The authorization server should not redirect the user agent
 back to the redirect URI of such an authorization request.
 Validating the pre-registered "redirect_uri" is a countermeasure
 against the following threats:
 o  Authorization "code" leakage through counterfeit web site: allows
    authorization servers to detect attack attempts after the first
    redirect to an end-user authorization endpoint (Section 4.4.1.7).
 o  Open redirector attack via a client redirection endpoint
    (Section 4.1.5).
 o  Open redirector phishing attack via an authorization server
    redirection endpoint (Section 4.2.4).
 The underlying assumption of this measure is that an attacker will
 need to use another redirect URI in order to get access to the
 authorization "code".  Deployments might consider the possibility of
 an attacker using spoofing attacks to a victim's device to circumvent
 this security measure.
 Note: Pre-registering clients might not scale in some deployments
 (manual process) or require dynamic client registration (not
 specified yet).  With the lack of dynamic client registration, a
 pre-registered "redirect_uri" only works for clients bound to certain
 deployments at development/configuration time.  As soon as dynamic
 resource server discovery is required, the pre-registered
 "redirect_uri" may no longer be feasible.

Lodderstedt, et al. Informational [Page 62] RFC 6819 OAuth 2.0 Security January 2013

5.2.3.6. Revoke Client Secrets

 An authorization server may revoke a client's secret in order to
 prevent abuse of a revealed secret.
 Note: This measure will immediately invalidate any authorization
 "code" or refresh token issued to the respective client.  This might
 unintentionally impact client identifiers and secrets used across
 multiple deployments of a particular native or web application.
 This a countermeasure against:
 o  Abuse of revealed client secrets for private clients

5.2.3.7. Use Strong Client Authentication (e.g., client_assertion/

        client_token)
 By using an alternative form of authentication such as client
 assertion [OAuth-ASSERTIONS], the need to distribute a
 "client_secret" is eliminated.  This may require the use of a secure
 private key store or other supplemental authentication system as
 specified by the client assertion issuer in its authentication
 process.

5.2.4. End-User Authorization

 This section includes considerations for authorization flows
 involving the end user.

5.2.4.1. Automatic Processing of Repeated Authorizations Requires

        Client Validation
 Authorization servers should NOT automatically process repeat
 authorizations where the client is not authenticated through a client
 secret or some other authentication mechanism such as a signed
 authentication assertion certificate (Section 5.2.3.7) or validation
 of a pre-registered redirect URI (Section 5.2.3.5).

5.2.4.2. Informed Decisions Based on Transparency

 The authorization server should clearly explain to the end user what
 happens in the authorization process and what the consequences are.
 For example, the user should understand what access he is about to
 grant to which client for what duration.  It should also be obvious
 to the user whether the server is able to reliably certify certain
 client properties (web site URL, security policy).

Lodderstedt, et al. Informational [Page 63] RFC 6819 OAuth 2.0 Security January 2013

5.2.4.3. Validation of Client Properties by End User

 In the authorization process, the user is typically asked to approve
 a client's request for authorization.  This is an important security
 mechanism by itself because the end user can be involved in the
 validation of client properties, such as whether the client name
 known to the authorization server fits the name of the web site or
 the application the end user is using.  This measure is especially
 helpful in situations where the authorization server is unable to
 authenticate the client.  It is a countermeasure against:
 o  A malicious application
 o  A client application masquerading as another client

5.2.4.4. Binding of Authorization "code" to "client_id"

 The authorization server should bind every authorization "code" to
 the id of the respective client that initiated the end-user
 authorization process.  This measure is a countermeasure against:
 o  Replay of authorization "codes" with different client credentials,
    since an attacker cannot use another "client_id" to exchange an
    authorization "code" into a token
 o  Online guessing of authorization "codes"
 Note: This binding should be protected from unauthorized
 modifications (e.g., using protected memory and/or a secure
 database).

5.2.4.5. Binding of Authorization "code" to "redirect_uri"

 The authorization server should be able to bind every authorization
 "code" to the actual redirect URI used as the redirect target of the
 client in the end-user authorization process.  This binding should be
 validated when the client attempts to exchange the respective
 authorization "code" for an access token.  This measure is a
 countermeasure against authorization "code" leakage through
 counterfeit web sites, since an attacker cannot use another redirect
 URI to exchange an authorization "code" into a token.

Lodderstedt, et al. Informational [Page 64] RFC 6819 OAuth 2.0 Security January 2013

5.3. Client App Security

 This section deals with considerations for client applications.

5.3.1. Don't Store Credentials in Code or Resources Bundled with

      Software Packages
 Because of the number of copies of client software, there is limited
 benefit in creating a single client id and secret that is shared by
 all installations of an application.  Such an application by itself
 would be considered a "public" client, as it cannot be presumed to be
 able to keep client secrets.  A secret, burned into the source code
 of the application or an associated resource bundle, cannot be
 protected from reverse engineering.  Secondly, such secrets cannot be
 revoked, since this would immediately put all installations out of
 work.  Moreover, since the authorization server cannot really trust
 the client's identifier, it would be dangerous to indicate to end
 users the trustworthiness of the client.

5.3.2. Use Standard Web Server Protection Measures (for Config Files

      and Databases)
 Use standard web server protection and configuration measures to
 protect the integrity of the server, databases, configuration files,
 and other operational components of the server.

5.3.3. Store Secrets in Secure Storage

 There are different ways to store secrets of all kinds (tokens,
 client secrets) securely on a device or server.
 Most multi-user operating systems segregate the personal storage of
 different system users.  Moreover, most modern smartphone operating
 systems even support the storage of application-specific data in
 separate areas of file systems and protect the data from access by
 other applications.  Additionally, applications can implement
 confidential data by using a user-supplied secret, such as a PIN or
 password.
 Another option is to swap refresh token storage to a trusted backend
 server.  This option in turn requires a resilient authentication
 mechanism between the client and backend server.  Note: Applications
 should ensure that confidential data is kept confidential even after
 reading from secure storage, which typically means keeping this data
 in the local memory of the application.

Lodderstedt, et al. Informational [Page 65] RFC 6819 OAuth 2.0 Security January 2013

5.3.4. Utilize Device Lock to Prevent Unauthorized Device Access

 On a typical modern phone, there are many "device lock" options that
 can be utilized to provide additional protection when a device is
 stolen or misplaced.  These include PINs, passwords, and other
 biometric features such as "face recognition".  These are not equal
 in the level of security they provide.

5.3.5. Link the "state" Parameter to User Agent Session

 The "state" parameter is used to link client requests and prevent
 CSRF attacks, for example, attacks against the redirect URI.  An
 attacker could inject their own authorization "code" or access token,
 which can result in the client using an access token associated with
 the attacker's protected resources rather than the victim's (e.g.,
 save the victim's bank account information to a protected resource
 controlled by the attacker).
 The client should utilize the "state" request parameter to send the
 authorization server a value that binds the request to the user
 agent's authenticated state (e.g., a hash of the session cookie used
 to authenticate the user agent) when making an authorization request.
 Once authorization has been obtained from the end user, the
 authorization server redirects the end-user's user agent back to the
 client with the required binding value contained in the "state"
 parameter.
 The binding value enables the client to verify the validity of the
 request by matching the binding value to the user agent's
 authenticated state.

5.4. Resource Servers

 The following section details security considerations for resource
 servers.

5.4.1. Authorization Headers

 Authorization headers are recognized and specially treated by HTTP
 proxies and servers.  Thus, the usage of such headers for sending
 access tokens to resource servers reduces the likelihood of leakage
 or unintended storage of authenticated requests in general, and
 especially Authorization headers.

Lodderstedt, et al. Informational [Page 66] RFC 6819 OAuth 2.0 Security January 2013

5.4.2. Authenticated Requests

 An authorization server may bind tokens to a certain client
 identifier and enable resource servers to validate that association
 on resource access.  This will require the resource server to
 authenticate the originator of a request as the legitimate owner of a
 particular token.  There are several options to implement this
 countermeasure:
 o  The authorization server may associate the client identifier with
    the token (either internally or in the payload of a self-contained
    token).  The client then uses client certificate-based HTTP
    authentication on the resource server's endpoint to authenticate
    its identity, and the resource server validates the name with the
    name referenced by the token.
 o  Same as the option above, but the client uses his private key to
    sign the request to the resource server (the public key is either
    contained in the token or sent along with the request).
 o  Alternatively, the authorization server may issue a token-bound
    key, which the client uses in a Holder-of-Key proof to
    authenticate the client's use of the token.  The resource server
    obtains the secret directly from the authorization server, or the
    secret is contained in an encrypted section of the token.  In that
    way, the resource server does not "know" the client but is able to
    validate whether the authorization server issued the token to that
    client.
 Authenticated requests are a countermeasure against abuse of tokens
 by counterfeit resource servers.

5.4.3. Signed Requests

 A resource server may decide to accept signed requests only, either
 to replace transport-level security measures or to complement such
 measures.  Every signed request should be uniquely identifiable and
 should not be processed twice by the resource server.  This
 countermeasure helps to mitigate:
 o  modifications of the message and
 o  replay attempts

Lodderstedt, et al. Informational [Page 67] RFC 6819 OAuth 2.0 Security January 2013

5.5. A Word on User Interaction and User-Installed Apps

 OAuth, as a security protocol, is distinctive in that its flow
 usually involves significant user interaction, making the end user a
 part of the security model.  This creates some important difficulties
 in defending against some of the threats discussed above.  Some of
 these points have already been made, but it's worth repeating and
 highlighting them here.
 o  End users must understand what they are being asked to approve
    (see Section 5.2.4.2).  Users often do not have the expertise to
    understand the ramifications of saying "yes" to an authorization
    request and are likely not to be able to see subtle differences in
    the wording of requests.  Malicious software can confuse the user,
    tricking the user into approving almost anything.
 o  End-user devices are prone to software compromise.  This has been
    a long-standing problem, with frequent attacks on web browsers and
    other parts of the user's system.  But with the increasing
    popularity of user-installed "apps", the threat posed by
    compromised or malicious end-user software is very strong and is
    one that is very difficult to mitigate.
 o  Be aware that users will demand to install and run such apps, and
    that compromised or malicious ones can steal credentials at many
    points in the data flow.  They can intercept the very user login
    credentials that OAuth is designed to protect.  They can request
    authorization far beyond what they have led the user to understand
    and approve.  They can automate a response on behalf of the user,
    hiding the whole process.  No solution is offered here, because
    none is known; this remains in the space between better security
    and better usability.
 o  Addressing these issues by restricting the use of user-installed
    software may be practical in some limited environments and can be
    used as a countermeasure in those cases.  Such restrictions are
    not practical in the general case, and mechanisms for after-the-
    fact recovery should be in place.
 o  While end users are mostly incapable of properly vetting
    applications they load onto their devices, those who deploy
    authorization servers might have tools at their disposal to
    mitigate malicious clients.  For example, a well-run authorization
    server must only assert client properties to the end user it is
    effectively capable of validating, explicitly point out which
    properties it cannot validate, and indicate to the end user the
    risk associated with granting access to the particular client.

Lodderstedt, et al. Informational [Page 68] RFC 6819 OAuth 2.0 Security January 2013

6. Acknowledgements

 We would like to thank Stephen Farrell, Barry Leiba, Hui-Lan Lu,
 Francisco Corella, Peifung E. Lam, Shane B. Weeden, Skylar Woodward,
 Niv Steingarten, Tim Bray, and James H. Manger for their comments and
 contributions.

7. References

7.1. Normative References

 [RFC6749]  Hardt, D., "The OAuth 2.0 Authorization Framework",
            RFC 6749, October 2012.
 [RFC6750]  Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
            Framework: Bearer Token Usage", RFC 6750, October 2012.

7.2. Informative References

 [Framebusting]
            Rydstedt, G., Bursztein, Boneh, D., and C. Jackson,
            "Busting Frame Busting: a Study of Clickjacking
            Vulnerabilities on Popular Sites", IEEE 3rd Web 2.0
            Security and Privacy Workshop, May 2010, <http://elie.im/
            publication/busting-frame-busting-a-study-of-
            clickjacking-vulnerabilities-on-popular-sites>.
 [IMEI]     3GPP, "International Mobile station Equipment Identities
            (IMEI)", 3GPP TS 22.016 11.0.0, September 2012,
            <http://www.3gpp.org/ftp/Specs/html-info/22016.htm>.
 [OASIS.saml-core-2.0-os]
            Cantor, S., Ed., Kemp, J., Ed., Philpott, R., Ed., and E.
            Maler, Ed., "Assertions and Protocols for the OASIS
            Security Assertion Markup Language (SAML) V2.0", OASIS
            Standard saml-core-2.0-os, March 2005,
            <http://docs.oasis-open.org/security/saml/
            v2.0/saml-core-2.0-os.pdf>.
 [OASIS.sstc-saml-bindings-1.1]
            Maler, E., Ed., Mishra, P., Ed., and R. Philpott, Ed.,
            "Bindings and Profiles for the OASIS Security Assertion
            Markup Language (SAML) V1.1", September 2003,
            <http://www.oasis-open.org/committees/download.php/3405/
            oasis-sstc-saml-bindings-1.1.pdf>.

Lodderstedt, et al. Informational [Page 69] RFC 6819 OAuth 2.0 Security January 2013

 [OASIS.sstc-sec-analysis-response-01]
            Linn, J., Ed., and P. Mishra, Ed., "SSTC Response to
            "Security Analysis of the SAML Single Sign-on Browser/
            Artifact Profile"", January 2005,
            <http://www.oasis-open.org/committees/download.php/
            11191/sstc-gross-sec-analysis-response-01.pdf>.
 [OAuth-ASSERTIONS]
            Campbell, B., Mortimore, C., Jones, M., and Y. Goland,
            "Assertion Framework for OAuth 2.0", Work in Progress,
            December 2012.
 [OAuth-HTTP-MAC]
            Richer, J., Ed., Mills, W., Ed., and H. Tschofenig, Ed.,
            "OAuth 2.0 Message Authentication Code (MAC) Tokens", Work
            in Progress, November 2012.
 [OAuth-JWT]
            Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
            (JWT)", Work in Progress, December 2012.
 [OAuth-REVOCATION]
            Lodderstedt, T., Ed., Dronia, S., and M. Scurtescu, "Token
            Revocation", Work in Progress, November 2012.
 [OPENID]   "OpenID Foundation Home Page", <http://openid.net/>.
 [OWASP]    "Open Web Application Security Project Home Page",
            <https://www.owasp.org/>.
 [Portable-Contacts]
            Smarr, J., "Portable Contacts 1.0 Draft C", August 2008,
            <http://portablecontacts.net/>.
 [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
            Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
            Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
 [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
 [RFC4086]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
            Requirements for Security", BCP 106, RFC 4086, June 2005.
 [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
            Kerberos Network Authentication Service (V5)", RFC 4120,
            July 2005.

Lodderstedt, et al. Informational [Page 70] RFC 6819 OAuth 2.0 Security January 2013

 [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
            Internet Protocol", RFC 4301, December 2005.
 [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
            (TLS) Protocol Version 1.2", RFC 5246, August 2008.
 [SSL-Latency]
            Sissel, J., Ed., "SSL handshake latency and HTTPS
            optimizations", June 2010.
 [Sec-Analysis]
            Gross, T., "Security Analysis of the SAML Single Sign-on
            Browser/Artifact Profile", 19th Annual Computer Security
            Applications Conference, Las Vegas, December 2003.
 [X-Frame-Options]
            Ross, D. and T. Gondrom, "HTTP Header X-Frame-Options",
            Work in Progress, October 2012.
 [iFrame]   World Wide Web Consortium, "Frames in HTML documents",
            W3C HTML 4.01, December 1999,
            <http://www.w3.org/TR/html4/present/frames.html#h-16.5>.

Authors' Addresses

 Torsten Lodderstedt (editor)
 Deutsche Telekom AG
 EMail: torsten@lodderstedt.net
 Mark McGloin
 IBM
 EMail: mark.mcgloin@ie.ibm.com
 Phil Hunt
 Oracle Corporation
 EMail: phil.hunt@yahoo.com

Lodderstedt, et al. Informational [Page 71]

/data/webs/external/dokuwiki/data/pages/rfc/rfc6819.txt · Last modified: 2013/01/07 21:17 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki