[WG-UMA] OAuth threat model and UMA issue #10

Domenico Catalano domenico.catalano at oracle.com
Mon Dec 10 13:06:33 EST 2012

here are my first comments about OAuth threat model applied to UMA spec.

1. On top of OAuth spec, UMA provides more scenarios, including person-to-person and person-to-org interactions, where the Requester (Client) interact with the host on behalf of the user which isn't the resource owner. 		
In these contexts,  for the "implicit flow" (4.4.2), where the redirect URI includes the access token in the URI fragment, the protocol can be exposed to threat, including leaking of tokens. For example, considering Alice as Authorizing User who defines a policy for sharing a resource with users (Requesting Party), which have > 18yo. A malicious user, (let's say Bob who is 18 years old) which is authorized to access to a resource,  can obtains the tokens and share it with unauthorized users (under 18). 

Are the bearer tokens suffice in this case?

2. In the UMA spec, do we need to explicit the use of "status" and "redirect_uri"  parameters into the request format? 
These two parameters are fundamental as countermeasures against threats respectively for phishing attacks and Cross-Site Request Forgery (CSRF) attacks.
We have defined these parameters for UMA OpenID claim profile.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20121210/bf89ac28/attachment.html 

More information about the WG-UMA mailing list