Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2: allow access token validation for public clients #245

Closed
aeneasr opened this issue Sep 7, 2016 · 4 comments
Closed

oauth2: allow access token validation for public clients #245

aeneasr opened this issue Sep 7, 2016 · 4 comments
Labels
feat New feature or request. help wanted We are looking for help on this one.
Milestone
unplanned

Comments

@aeneasr
Copy link
Member

aeneasr commented Sep 7, 2016
edited
Loading

As @ericalandouglas pointed out in gitter, there is currently no way for public clients to validate access tokens or, at least, get the contents of the at_ext claim. There are a couple of reasons why this currently doesn't exist:

  1. Token introspection as per rfc7662 does not allow unauthorized access
  2. Warden validation is targeted at resource servers, which are always confidential and thus can authorize themselves
  3. An unprotected token validation endpoint can lead to token scanning attacks, where an attacker tries out different tokens using dictionary or brute force attacks. This is the reason for disallowing unauthorized access to 1. and 2.

I checked out what google, amazon and github are doing. This is a nice sum up: http://stackoverflow.com/a/20010178

  • Google: https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg
  • GitHub: GET /applications/:client_id/tokens/:access_token
  • Amazon: https://api.amazon.com/auth/O2/tokeninfo?access_token=Atza|IQEBLjAsAhRmHjNgHpi0U-Dme37rR6CuUpSR

I personally like the GitHub way, because it allows us to check if client id == audience. However, it looks like the big ones decided to go for tokeninfo.

I appreciate feedback on this.
@aeneasr aeneasr added feat New feature or request. help wanted We are looking for help on this one. labels Sep 7, 2016
@ericalandouglas
Copy link
Contributor

ericalandouglas commented Sep 8, 2016
edited
Loading

Thanks for making this issue @arekkas. I like Github's way as well for the added security around audience verification but Google/Amazon's way is sufficient. The at_ext claim is the only token claim I currently envision this endpoint returning as I am not doing validation, just data introspection.

@aeneasr
Copy link
Member Author

aeneasr commented Sep 8, 2016

@ericalandouglas as you correctly suggested, this is a great place for OIDC, as you are only interested in meta-data. I don't know why I didn't think of this before. I will still keep this issue open, just in case.

@aeneasr aeneasr added this to the unplanned milestone Sep 8, 2016
@ericalandouglas
Copy link
Contributor

@arekkas that is correct. OIDC should be sufficient for my use cases, thanks for helping me figure all this out!

@aeneasr
Copy link
Member Author

aeneasr commented Sep 9, 2016

Actually, there is no standard way to validate access tokens with public clients, without being at risk of token scanning. Therefore, I'll close this issue until someone comes along with a good use case and ideas how to mitigate that risk.

@aeneasr aeneasr closed this as completed Sep 9, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request. help wanted We are looking for help on this one.
Projects
None yet
Milestone
unplanned
Development

No branches or pull requests
2 participants
@ericalandouglas @aeneasr