A Truckload of OAuth Issues That Would Make Any Author Quit

New submitter DeFender1031 writes "Several months ago, when Eran Hammer ragequit the OAuth project, many people thought he was simply being overly dramatic, given that he gave only vague indications of what went wrong. Since then, and despite that, many companies have been switching to OAuth, citing it as a 'superior form of secure authentication.' But a fresh and objective look at the protocol highlights the significant design flaws in the system and sheds some light on what might have led to its creator's departure."

Get out the duct tape

[sl4shd0rk]

*sigh* "conflict between the web and the enterprise worlds." is another way of saying users complained when not given an option to aim at their foot.

Re:Get out the duct tape

[jhoegl]

I stopped reading at "There is no standard".
Computers run on standards, there is no excuse for this.

Re:host troll

[thelovebus]

What are you talking about? The original submitter? Eran Hammer? The blog being linked to?

I honestly don't know what you're referring to -- could you explain for those of us who are out of the loop?

Re:host troll

What are you talking about?

Genius

[Synerg1y]

Step one: Make digital card game.
Step two: Print cards and sell them.
Step three: Profit more from WOW.

Re:Genius

[GLowder]

Step four: suddenly realize you posted under wrong article

Re:Genius

[Synerg1y]

So I did :)

Re:host troll

[EvanED]

I think it's a complaint about (and I hesitate to link to it) this post which keeps showing up story after story.

totally secure == powered off

[mt1955]

OAuth is ugly to implement, no argument there.

Most of the points made in the article were interesting and seemed valid to me but near the conclusion it felt like the author was reaching bit by ignoring the refresh token concept to make the final point.

The threat of a hacked browser was a bit of an eye opener for me -- never heard that one brought up as a possibility while working on an OAuth implementation for a client.

Re:totally secure == powered off

[kldavis4]

I agree about the hacked browser. I think one of the main arguments by Eran against OAuth2 is that it is basically broken for mobile applications (non-web) and this is just another of the ways it is broken.

Re:totally secure == powered off

[silas_moeckel]

If you have hacked the browser or machine you have an issue. For the browser there are a slew of API's dependent on OS that let there be separation so that a browser exploit is limited to allowing authentication while that browser remains open but never exposes the base digital certificates. Smart cards take that further by never exposing the private key to anybody.

As to AUPI vs API oauth was never meant to be a end all and be all of authentication. Designing something to let arbitrary systems share data with fine grained arbitrary controls is a huge project that has not really been done well by anybody yet.

Re:totally secure == powered off

[DeFender1031]

You miss the point. He says to have the user create separate passwords from the primary one, with restricted permissions, and give a different managed password to each application. That way, if the application misbehaves, the user themselves can remove that password without having to affect anything else.

Re:totally secure == powered off

You idiot. there is no creating accounts with separate permissions. thats exactly why oauth was created. any account you create for the vast majority of sites would have the same permissions as any other account. this is assuming you can even create multiple accounts for the same data.

Re:totally secure == powered off

[hazah]

Before you call others "idiot" perhaps you should actually understand what they're saying, idiot.

Re:totally secure == powered off

is that a recursive insult

Re:totally secure == powered off

[hazah]

Nope.

Re:totally secure == powered off

[DeFender1031]

Again, you miss the point. The point isn't separate accounts. The point is, you have a user account, say "JoeCool", and a password, say "12345". Your system allows Joe, when logged in under that password, to create a secondary password, 67890 which, when logged in with, only allows limited access. Joe can then give "67890" as a password a third-party application, which will then have only limited access. If the application misbehaves, Joe can remove the "67890" password, thus locking out the malicious application while keeping his primary password secure, along with any other secondary passwords he's generated for other applications. That's the system being described and that's a system which would avoid a heck of a lot of headache.

And I'd appreciate not being called names by someone who hasn't even taken the time to understand what's being said.

Re:totally secure == powered off

[Xeger]

A separate password for each application, is exactly what an OAuth refresh token is. The user is free to revoke the corresponding grant at any time.

Re:totally secure == powered off

[DeFender1031]

True that's exactly what it is but with a lot of cruft surrounding it as well. It requires a web browser to facilitate the connection, rather than the user just copying a password to wherever it's needed, it requires that the third-party application which wants to authenticate needs its own domain and its own server, instead of just being able to be a standalone application which can authenticate directly. Because of this, it's just a mess of a system. What the author is suggesting is to leave the part of it that's based on a solid security foundation intact, (the part that says "separate keys for each application with limited access") but remove all of the insanity around it that adds no extra security and just serves to confuse the issue and limit its usability.

Re:totally secure == powered off

But that's what they're saying. OAuth => you don't type a password. If you want to deal with application-specific or tiered passwords, then that's fine (and necessary for services that don't support OAuth), but it's unrelated to the OAuth conversation as far as I can tell.

Re:Adblock INFERIOR to custom HOST file ... apk

Can a hosts file block apk's posts, though?

WTF was that?

[antifoidulus]

The authors biggest complaint about OAuth is that it doesn't do what it was never designed to do....and this is a problem because....? It was never designed for enterprise-level permissions management(there are plenty of other solutions for that). And his solution(copying and pasting tokens) is worse than the disease. It would be easier to go phishing with copied and pasted tokens than it is with OAuth where the login is automatic and tokens/applications can be revoked by the site that manages the account....

I think someone is just bitter and decided to take it out on a protocol.

Re:WTF was that?

I think the key point of the article is the first part, the "APUI" section. OAuth is "fine" when used for authentication by a user for a service based on a web browser. However, it is increasingly being applied at the "API" level (where services and applications interact, not users). It doesn't work _at all_ at this level.

I agree that the enterprise level permissions bit is pushing things, but the rest of the article is spot on.

Re:WTF was that?

The authors biggest complaint about OAuth is that it doesn't do what it was never designed to do....and this is a problem because....?

Because people are, with great gusto, actually using it for what it was never designed to do.

Re:WTF was that?

wrong api works fine. I use it with google apis. once user grants auth, you can call their apis without any user interaction when their not even logged in. it all depends upon the permissions they grant you.

Re:WTF was that?

[Trails]

Actually two-legged OAuth is pretty straightforward and works just fine for me

Re:WTF was that?

Correct but you have to allow the user to auth directly with the service first which sucks from an iOS or Android app.

Thats what is meant by API. It requires a browser to instantiate the connection.

Last Post

[History's+Coming+To]

That's it, I've had enough. It's easy enough to filter this kind of crap out, but /. just don't seem to bother. Yes, I could simply browse at a higher level, but I've usually got mod points and browse at -1 as suggested for very good reasons. But if /. aren't prepared to deal with the most basic levels of spamming then I can't be bothered helping them out any more. Email address deleted, password changed to a long random string that I don't know, sig changed to indicate account has been deleted. Bye everyone, most of the last decade or so has been fun, but frankly, I quit.

Re:Last Post

That's it, I've had enough. It's easy enough to filter this kind of crap out, but /. just don't seem to bother. Yes, I could simply browse at a higher level, but I've usually got mod points and browse at -1 as suggested for very good reasons. But if /. aren't prepared to deal with the most basic levels of spamming then I can't be bothered helping them out any more. Email address deleted, password changed to a long random string that I don't know, sig changed to indicate account has been deleted. Bye everyone, most of the last decade or so has been fun, but frankly, I quit.

Good to know. Weed out the thin-skinned people, I always say. People who don't actually understand how tricky a problem spam filtering really is, people who can't deal with the internet in general, people who feel the need to get on a soapbox and announce the significantly massive amounts of them not being around anymore everyone else is about to experience (ooo, how impressive and scary!). Sorry, who were you again and why do we care? I missed that part.

Re:Last Post

So basically what you're saying is that you've added yourself to the HOST file?

Re:Last Post

[noh8rz10]

bahahaha I can't believe this was downvoted.

Re:Last Post

[noh8rz10]

i thought the whole point of slashdot posts is that it was a free-for-all, self-moderated through the mod point / threshold approach. they also limit posting from people with low karma (not filtering by post content, but just quieting the low karma people). also, you can block ACs while not changing your viewing threshold. There are many options!

although personally I don't like the posting limits on low karma people. I think this encourages slashdot group-think, where if you speak up against whatever ideas are generally popular (android, google) or speak for unpopular peeps (MS, apple sometimes) you get downvoted and essentially shushed by low karma. This has frustrated me in the past.

tldr, don't give up hope! make a new id, filter reasonably, and enjoy!

Re:Last Post

Good riddens to you. Can't be bothered to browse at "0", throws a tantrum.

Re:Last Post

You should add Slashdot to your HOST file to keep yourself from coming back.

brain asplode!

[Thud457]

oh man, that incredible interminable list of responses is almost as funny as the original post. This is getting to be truly epic. If there were and admins around any more that gave a damn, expect some ham-handed attempt at anti-trolling code soon -- that'll fuck /. up ever further for everybody else.

Auth belongs in the browser

[jeremylichtman]

I've implemented sites that use a variety of third party authentication schemes. Its a nuisance for users (multiplicity of accounts, more insecure passwords to remember etc) and a nuisance for developers. Why are we still doing this? Authentication (and user profiles for that matter) belong in the user's browser. I'm not talking about Chrome's password wallet. I'm talking about a certificate-based system that allows the user to control from their end which sites are authenticated, and what data they should have access to. Sites would then implement a simple API (possibly combined with meta data on the front end to let the browser know details) that would allow for login, signing up, or changing particulars. The process could be made completely transparent for users. I have this partially implemented as an insecure proof of concept browser plugin. It wouldn't take too much work to get it running, although it really should be core browser functionality instead.

Re:Auth belongs in the browser

Are you a shill for Mozilla?

Re:Auth belongs in the browser

And while were at it we could store the auth in the browser and add an extra http field (X-Auth-Crenditials and X-Auth-Handler) that contains the username, auth handler, and session id secured with a crypto hash (hmac-sha256 with a noce).

Face it, auth left the browser when webforms and cookies entered the scene.

Re:Auth belongs in the browser

Hasn't this been tried with Information Card? It was an open standard with support from some big names (e.g. MS) and a huge amount of good work was done, but it seems to have died on its arse. Maybe you should look at why this failed.

Re:Auth belongs in the browser

[Lennie]

I don't know if he is a shill, but can you tell me what you don't like about BrowserID, that could be a lot more interresting discussion.

Re:Auth belongs in the browser

Microsoft LiveID for the win

Re:Auth belongs in the browser

lastpass.com FTW!

Re:Auth belongs in the browser

[jeremylichtman]

I'm not a shill for anyone. Hmm. Maybe for myself. BrowserID uses emails for authentication. Why do we even need to have that? What if you want to change your email address? And why should websites have your email address unless you want them to do so. What I had in mind was that users can create any number of profiles for themselves on their browser, each with flexible set of fields for things like their name, and each field having privacy options. They then can register that profile on a given website; view a list of sites that are authenticated against a given profile; change privacy options for any given field/website combination without going to the site; deregister from a site etc etc. The key is that everything would happen through some kind of negotiated and secure back-channel. Advantages include heightened privacy for users, the ability to have many profiles (each of them having some kind of unique identifying certificate) that can be used globally, and the ability to be able to manage their internet identity from their own end.

Re:Auth belongs in the browser

[jeremylichtman]

Something along these lines. The problem is that there's a proliferation of authentication schemes owned by various companies, and implemented in a scattershot fashion. What is really needed is a standard that can be implemented by many vendors, and that allows users to control their own data.

Re:Auth belongs in the browser

What is really needed is a standard that can be implemented by many vendors, and that allows users to control their own data.

That's exactly what Information Card was. It's an open standard with no fees. The big vendors gave patent guarantees. There were many interoperating implementations. And, surprisingly, it had a really nice user-focussed design putting users in control.

The federated identity aspects of the standard seem to have evolved into OpenID. Which is widely used, but all of the larger sites want to be identity providers rather than acceptors, so users still need multiple identities.

I'm not sure why the card stuff failed. Possibly because it ties identity to a single client device?

Re:Auth belongs in the browser

[Lennie]

I think this is their reasoning:

1. one of the reasons OpenID failed is because people did not associate website/webpage with identity, BrowserID uses an email address, which is already very directly associated with an identity by many people

2. email addresses are already used on many, many websites, because of password recovery. Even with Facebook Connect/oAuth people will take the email address from the identity provider and record it (yes, it is already provided in most situations !).

3. with current free email providers, you can create as many identies as you like. So your privacy problems could be handled that way.

Re:Auth belongs in the browser

[Lennie]

Anyway, you could also take a look at the recent presentation from Mozilla:

http://pyvideo.org/video/1764/beyond-passwords-secure-authentication-with-mozi-0

Fresh and objective?

I would call this neither "fresh" nor "objective".

The author rehashes some well known issues with the OAuth protocol - I assume OAuth 2.0, though he really should make the distinction explicit, makes some contradictory complaints - "Waah, it's too flexible! Waah, it's not flexible enough!", and recommends some simpler "solutions" that conveniently don't address the problems he raises at all.

OAuth 2.0 does not provide a plug-and-go interoperable protocol, and many people, including the original RFC editor Eran Hammer, regard that as a failure.
On the other hand, it provides a framework you can pick-and-choose from to create a perfectly decent authorization API, and it will likely be more sound and familiar to developers than if you had just winged it and created your own.

Re:Fresh and objective?

[sjames]

So it's a metastandard? Standards compliance really should imply inter-operability. If two implementations of a standard can both be certified as compliant and yet cannot communicate, the standard needs to be tightened or clarified. If that is not desired or if inter-operation isn't a goal, then it may be something, but it is not a standard and should not call itself one.

Re:host troll

His name is apk & he's been posting it for over 4 years. Here's one from 2009:

http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983

He keeps adding new stuff on so it keeps growing longer and longer as the years pass.

Re:host troll

[Spottywot]

His name is apk & he's been posting it for over 4 years. Here's one from 2009:

http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983

He keeps adding new stuff on so it keeps growing longer and longer as the years pass.

A bit like a Hosts file then? I hate trolls but I do admire that level of dedication.

Use TLS and stop being stupid

In 2013 the world still has a love affair with CHAP and assorted completely broke and useless authentication protocols. Any authentication protocol not cryptographically bound to the underlying transport is total crap yet at this very momement lots of people are hard at work inventing more useless crap.

The more fundemental problem is web doods who think they know shit about anything are the ones working on these schemes... god forbid they ever have to move outside of their comfort zone and understand something they did not invent (TLS). Instead we get layers upon layers of insecure garbage only semantically different than the garbage that came before it.

If you want external software to be able to identify you then use a goddamn client certificate
You know that old shit that has been around for decades. The only thing untrusted software vendors have to do is make sure their not vulnerable to CSRF. Getting some central authentication database to hand out pk12 files is trivial (and probably more secure than oauth) .. then importing these file directly into the browser of your choice ususally takes a few seconds.

With client certs there are no credentials for the "untrusted" entity to steal if they do this all they get is some assurance that you are who you say you are. The rest of it is unecessary scope creep. Untrusted entities interacting with other untrusted entities on your behalf is a receipe for untrusted disaster. Most of TFAs gripes are actually a failure to understand fundementals garbage in = garbage out not the fault of oauth for as crappy as oauth is.

Re:Adblock INFERIOR to custom HOST file ... apk

127.0.0.0 slashdot.org

Re:People say I'm overly dramatic about my HOST fi

[FatdogHaiku]

Not really but it always gets modded down to -1 so you might adjust your slashdot settings to hide -1 posts...

oAuth vs SAML 2.0

Dismissing mobile apps, and non-browser based apps....

I never really understood what oAuth brought to the table that SAML 2.0 did not. I've done several SAML integrations (from the IdP side), and was impressed with the ability to build a 1 size fits all, at least on the enterprise level.

Why the rush to oAuth and not SAML 2.0?

Exchange 2013 and OAuth

Exchange 2013 has moved to OAuth for server to server communication, ie, to Sharepoint, Lync, etc. I'm trying to wrap my head around what this guy is saying and how that has anything to do with the OAuth that is employed by the new Office Servers Suite from MS. Because like it or loath it, most companies use Exchange nowadays.

Re:Want to know WHY my post's downmodded?

shut up you stupid cock. Everyone knows you're wrong.

Re:Want to know WHY my post's downmodded?

Do you think you're responding to the real apk? Or do you think you're responding to a fake apk? Or do you even care?

Blogspot? Really?

[TwistedGreen]

Some guy's rant on Blogspot is news? I guess the "stuff that matters" tagline doesn't apply anymore...

Re:Blogspot? Really?

Some guy's rant on Blogspot is news? I guess the "stuff that matters" tagline doesn't apply anymore...

You must be new here.

Re:Blogspot? Really?

Dude is one of ZSNES codevs, I always thought that he has interesting insights.

This is a bad article

[ChaseTec]

The author makes no distinction between OAuth 1.0a and OAuth 2.0. One of the spec leads did rage quit, not because of how bad OAuth is in general but because of all the "enterprise" help in version 2.0. Saying there is no standard is also dumb, yes version 2.0 can suffer from incompatible implementations but version 1.0 is pretty straight forward, the standard is right here: http://tools.ietf.org/html/rfc5849. The suggestion that we should just stick to HTTP Basic Authentication over SSL/TLS shows that the author doesn't get OAuth. The whole point it that apps shouldn't have your passwords to do what you ask them. Passwords are insecure and we shouldn't be giving them to every single application that wants them no matter how useful the app. We need delegation and permission revoking.

Re:This is a bad article

The whole point it that apps shouldn't have your passwords to do what you ask them.

This is why god created X509 certificates back in the days when basic encoding rules were hip when dinousars and man cohabitated the earth.

Passwords are insecure and we shouldn't be giving them to every single application that wants them no matter how useful the app. We need delegation and permission revoking.

I think this line of thought is part of the problem.

Don't try for a complex horizontal solution instead punt concepts such as delegation and revocation to the application.

To use the calendar analogy if I want to grant x y and z permission to a b and c users then I need to tell my calendar my wishes with calendar specific details it understands. Ditto if I later change my mind.

It is hopeless to think you will be able to develop a solution to communicate these things in a common language that is not soo bloated nobody would be able to understand let alone implement it. This is about as productive as REST over HTTP in achiving any measure of horizontal reuse. The only reuse should be in the form of identifier specifications.

The key to system to system interaction is orchestration. I don't for example ever tell my calendar to go do something else to another system on my behalf. Either myself or a trusted agent with a certificate signature to prove my trust in the agent handles all system to system interaction.

Those people who see the need to grant system x to do 1, 2 and 3 to systems a b and c on my "behalf" have already failed. The resulting specification will simply be a reflection of that failure regardless of how smart the people writing it are.

Re:This is a bad article

[efalk]

Agreed.

Can anybody explain what's wrong with just using Oauth 1?

Native apps == insecure

[shirikodama]

I brought this up with the oauth working group and got snarled at by lots of people including Eran Hammer. It's nice to see that other people are noticing the same problems. When you have a native app, you can show the user anything to get their confidence, and with some work get their credentials, including apps with webview's. OAuth's security model was not designed with native apps in mind, it was designed for ~trustable web browsers. This isn't surprising because OAuth was designed before the current fad for native apps happened around 2006-2007 when the world was all browsers all the time.

Re:Native apps == insecure

[DeFender1031]

Exactly. And the people commenting that "you should never have a hacked browser" don't get that it's referring to native apps which embed a browser to mislead you rather than, say, a spyware-infested version of firefox. Of course you shouldn't have the latter, but for the former, anyone can make an app that imitates anything.

Re:Want to know WHY my post's downmodded?

I really don't care.

-same AC

Not complex; not broken; not meant for enterprise

[Xeger]

IMHO, the only legitimate points in this gentleman's post are: (1) a compromised browser defeats OAuth, and (2) OAuth isn't mobile-friendly because it requires browser interaction to gain user consent to grant access.

While both of these are true, Web browsers are ubiquitous; OAuth is a Web standard. You can abuse it slightly to make it work with mobile devices (see "access code grant") but really, it not was intended to be a be-all end-all authorization mechanism.

Likewise, claims that the protocol isn't "enterprise-friendly" are somewhat silly. OAuth was not intended for fine-grained authorization within an authentication or trust domain. It's for cross-domain (cross-application) grants, between unrelated apps, under the assumption that all three parties in the transaction are basically unrelated.

If an executive wants to delegate calendar permissions to his secretary, he should *just do it* by clicking a checkbox on Microsoft Outlook or whatever product they use for scheduling, which no doubt has its own rich permissions system and obviously has its own authentication mechanism. There's no need for a Web standard to facilitate this use case!

As for claims that "there is no standard" -- that's entirely true. There is a draft standard, which presumably will eventually be ratified by IETF once we have all had a chance to play with the technology and suggest improvements. Standards are not an item of worship; they're just a way to ensure that a protocol has had a reasonable degree of scrutiny, has no undisclosed patent encumbrances, etc. I've heard people accuse OAuth of being complex or flawed, but never fundametnally insecure.

Frankly, anyone who thinks the OAuth draft RFC is complex, should choose a dozen or so documents from the SAML protocol suite, relax in a hot bath, and read through several hundred pages of THAT claptrap. Then we can talk about complexity.

(Disclaimer: yes, I do read security standards in the bath, and I create toy implementations of security protocols and algorithms for fun. That probably makes me mentally ill.)

Re:Not complex; not broken; not meant for enterpri

[DeFender1031]

If people were only using OAuth for web-to-web communication, I don't think those issues would have been raised. But many of the big players have their "API"s based on it. Take a look at this thread on citrix's development site for example. Here, there's a service which is hardly web-based, pretty much the only thing web-based about it is that you join meetings by browsing to a URL, and yet the only authentication model they provide for their "API" is OAuth. This is wrong. It's not what OAuth was designed for. And yet it's what's being used. If people would stick to its intended purpose when using it, there would be no problem, but this is hardly the case.

Re:Not complex; not broken; not meant for enterpri

[manu0601]

Frankly, anyone who thinks the OAuth draft RFC is complex, should choose a dozen or so documents from the SAML protocol suite, relax in a hot bath, and read through several hundred pages of THAT claptrap.

Indeed the spec is huge, but it works extremely well. I must confess still do not understand why OAuth exists since we have SAML

Re:Want to know WHY my post's downmodded?

hey apk, why haven't you responded to the time cube/adware guy? He issued you a challenge and so far you have been silent as far as I've seen. I want to see the epic post war with gigabytes of bold text and random links! I demand satisfaction!

This is an old issue...

The problem of storing Application Key & Secret on the device initiating the protocol is the same with OAuth1 or Oauth2. Eran Hammer rant ware not about this at all. It's an old issue that can't really be fixed today. Check this out http://arstechnica.com/security/2010/09/twitter-a-case-study-on-how-to-do-oauth-wrong/