Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to the Power Users community on Codidact!

Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.

Comments on Understanding OAuth(2) security: what's a realistic threat model?

Post

Understanding OAuth(2) security: what's a realistic threat model?

+4
−0

Suppose I want to use some functionality on foo.com which requires associating my activity with me specifically - for example, posting on a forum, or playing some games and having the site keep track of my wins and losses. Rather than creating a site-specific account or trying to track me by IP, foo.com offers me an option to "authenticate with bar.com", which uses OAuth or OAuth2. I do already have an account at bar.com.

  • If I am not already logged in at bar.com, I should always log in separately before attempting to authenticate, correct? There is no way that foo.com can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?

  • Similarly, if I believe I'm logged in at bar.com already, but trying the foo.com authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?

  • Supposing I am not asked for credentials - how can I verify that I have been properly redirected through bar.com to give permission for authentication?

  • When I give bar.com permission to authenticate me to foo.com, how do I know that this won't compromise my bar.com login? What information is actually communicated per the OAuth protocol?

  • When I give such permission, typically bar.com will warn me that foo.com wants permission to access (or know) certain information about my bar.com account. How can I be sure that only that information is being transmitted?

  • Could foo.com ever gain the ability to modify my bar.com account information?

  • Could it happen that the authentication appears to just work without me giving consent on a bar.com interstitial? If that happened, what should I do?

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

1 comment thread

Threat to operator (2 comments)
Threat to operator
matthewsnyder‭ wrote 5 months ago · edited 5 months ago

This question focuses on threat to the user, which seems apt on a site called Power Users.

But I think what drives 3rd party auth adoption is not the threat to the user, but threat to the operator. After outsourcing the auth to another entity, and making it obvious through branded login pages, they get to shift the blame for any security problems on the 3rd party. They also get to deflect any tough audits on security. The third party has already put in the work of building their brand to the point that nobody questions how secure they are. Even if they do get hacked, you wouldn't be blamed for contracting them as your auth provider, because how could you have known?

I still think it's interesting to ask about the user's threat model, though.

Karl Knechtel‭ wrote 5 months ago

I think that's worth writing up in an answer, actually.