Threats

In my head, there are three main threats, though the OAuth 2 RFC has a whole chapter on the topic. Your questions deal mostly with one of them and slightly with another.

Fake login page

You asked some great questions on this. There are several ways^[1][2] (not comprehensive) that people are tricked into providing bar.com credentials, but with care you can avoid them.

Granting more access than expected

OAuth 2 has "scopes" for authorizing specific access to or actions on bar.com. A malicious foo.com may ask for more data on you than it strictly needs. This is similar to the old days of Android permissions: "Why does a flashlight app need to read my emails?"

Identity sharing

Both sites now know that you're a member of the other. This is not necessarily more dangerous than signing up with an email, and in some cases exactly equivalent: If bar.com is an email provider^[3] and you were already going to sign up on foo.com with that email, using OAuth probably isn't any worse. (Assuming foo.com sends you at least one email that is recognizable as originating from it.)

• If you don't want Microsoft to know that you have an account on embarrassingphotos.example.com, don't "Sign in with GitHub" to it.
• Also vice versa: Don't link accounts if you're worried foo.com will find all your public friends on bar.com and threaten to tell them your nefarious foo.com activity.

Questions

I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.

• If I am not already logged in at bar.com, I should always log in separately before attempting to authenticate, correct? There is no way that foo.com can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?

The login window is from bar.com. The foo.com site typically sends the current page or a new tab to bar.com to do the sign-in.^[2:1] You do need to make sure that it's not sending you to a lookalike URL,^[1:1] but the certificate should all be fine since it's completely the other site.

• Similarly, if I believe I'm logged in at bar.com already, but trying the foo.com authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?

That would certainly be fishy, but it's the same situation as above. You should be able to tell that you're on the right site by examining the certificate chain and verifying that it's not using lookalike characters^[1:2] in the domain.

• When I give bar.com permission to authenticate me to foo.com, how do I know that this won't compromise my bar.com login? What information is actually communicated per the OAuth protocol?

At no point are your credentials passed anywhere (except if you signed into bar.com to see the interstitial, and only bar.com gets those).

OAuth2 bolts some authorization on top of the authentication, which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, foo.com has to ask for the permissions, and bar.com shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If foo.com asks for things you didn't expect, maybe it's not a service you should trust.

The flow looks like this: foo.com opens a request in your browser to bar.com so your existing session is valid. It asks for the scopes it wants. If you approve the scopes in the interstitial, bar.com sends you back to foo.com with a short-lived code. Then, foo.com's backend issues a request with that code directly to bar.com so a user's browser, extensions, and network can't interfere with it. If bar.com agrees, it gives foo.com a longer-lived token.

• When I give such permission, typically bar.com will warn me that foo.com wants permission to access (or know) certain information about my bar.com account. How can I be sure that only that information is being transmitted?

You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on bar.com.

Like any software, it can do all sorts of things, and they can be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on bar.com not doing the wrong thing, though. None of it depends on foo.com (though you hope foo.com doesn't leak data either).

• Could foo.com ever gain the ability to modify my bar.com account information?

Yes. See above. Many sites issue permissions called "scopes" (that it asks you about, on first registration), to do things like load your profile picture or integrate with your calendar on bar.com. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.

• Could it happen that the authentication appears to just work without me giving consent on a bar.com interstitial? If that happened, what should I do?

I wouldn't expect that the first time, but as above: software can do anything, so bar.com could do that. After the first registration, yes, I'd expect it to bounce between foo -> bar -> foo when you load up a foo.com page, and do all that seamlessly without your input.

If it happened the first time you registered (or if you revoked foo.com access), I'd complain to the owners of bar.com. That would be a security hole in their site.

posted 7 months ago

CC BY-SA 4.0

4mo ago

Michael‭

204 reputation 6 8 25 33