Discovery / Security Considerations: CSRF attack on user input identifier

Issue #979 resolved

Vladimir Dzhuvinov created an issue 2015-08-25

I would like to propose a new section under 7. Security Considerations:

7.3 CSRF Attack On User Input Identifier

The RP MUST ensure that input of the Identifier used to commence OpenID Provider Issuer discovery is submitted by the legitimate End-User and protected from Cross-Site Request Forgery (CSRF) attacks.

An attacker may employ a CSRF attack to submit an Identifier chosen to resolve to an Issuer location and OpenID Provider Metadata document controlled by the attacker. The attacker may then return OpenID Provider Metadata pointing to the Client Registration Endpoint and Authorization Endpoint of a legitimate OP for the End-User while referring to a malicious Token Endpoint in order to steal the authorization grant and client credentials of the RP.

This proposal was prompted by a paper that was published last week:

http://arxiv.org/pdf/1508.04324.pdf

The paper has a number of problems, such as failing to clearly identify CSRF as the key issue and recommending measures for that. Anyway, the threat of CSRF is there and I think we should warn developers of this.

Comments (11)

Hans Zandbelt
In that case "Initiating Login from a Third Party" from the core spec (http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin) to me seems mutually exclusive with Discovery under the same security considerations as you mention. That probably deserves to be documented/cautioned as well.
- 2015-08-25T18:21:30+00:00
John Bradley
It should be noted that clients using client_secret_jwt or private_key_jwt are not susceptible to this.
Per core Sec 9 they include the audience in the JWT. aud REQUIRED. Audience. The aud (audience) Claim. Value that identifies the Authorization Server as an intended audience. The Authorization Server MUST verify that it is an intended audience for the token. The Audience SHOULD be the URL of the Authorization Server's Token Endpoint.

The attacker can get the code by doing this but they cannot replay it against the token endpoint belonging to the registration server/authorization endpoint. It may be worth emphasizing why the token endpoint really needs to check that audience.
- 2015-09-01T00:20:17+00:00
Michael Jones
- assigned issue to
  
  John Bradley
This issue clearly needs discussion on the mailing list.
- 2015-09-01T00:44:00+00:00
Vladimir Dzhuvinov reporter
Copying my response to the mailing list:

~~#979~~ - Discovery / Security Considerations: CSRF attack on user input identifier We need to work out how to prevent MITM attacks against Dynamic Registration The attack is getting someone to talk to a bad token endpoint You don't know that you've registered at the right endpoint when you register This issue clearly needs discussion on the mailing list. One possible fix is to have registration return the token endpoint URL for a cross-check Mike points out that in multi-tenant environment, the issuer will vary by tenant We may want to look at how we're using the JWT token profile

Here is an alternative solution:

The RP (client) may be required to include the discovered Issuer URL in the client registration request. The OP can then check whether the RP has used a legitimate discovery endpoint, and if not deny registration.

I think this approach will fare better. The client is not required to do a cross check, which developers may forget to implement. OPs are more likely to get this right.
- 2015-09-01T07:43:34+00:00
Nat Sakimura
- changed status to open
assigned to John.
- 2015-09-14T23:39:06+00:00
Nat Sakimura
Being intensively discussed in IETF.
- 2016-02-04T15:34:34+00:00
Michael Jones
- assigned issue to
  
  Michael Jones
The attack is against the web form that the RP puts up for input of the user identifier. This web form needs to have CSRF protection. John said that this is done by a nonce and/or cookie.

We can add language saying that the input form must have CSRF protection.
- 2016-08-18T14:24:34+00:00
John Bradley
Possible xsrf reference https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
- 2016-08-18T14:28:04+00:00
Joseph Heenan
Mike mentioned this issue to me as he’s trying to wrap up all the errata issues.

The attack as described seems like it would be prevented by the ‘iss’ authorization response parameter, https://datatracker.ietf.org/doc/html/rfc9207

Although technically adding PAR into the mix reintroduces the issue.

‌

‌

As Mike/John commented above, adding a sentence to the web finger section along the lines “Any web input form needs to have CSRF protection, see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html” makes sense.

‌
- 2022-11-08T18:18:41+00:00
Michael Jones
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/575
- 2023-07-19T01:55:15+00:00
Michael Jones
- changed status to resolved
Fixed by https://bitbucket.org/openid/connect/pull-requests/575
- 2023-07-28T22:49:45+00:00
Log in to comment

Assignee: Michael Jones

Type: proposal

Priority: major

Status: resolved

Component: Discovery

Milestone: Errata

Version: –

Votes: 0

Watchers: 0