Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to the Power Users community on Codidact!

Power Users is a Q&A site for questions about the usage of computer software and hardware. We are still a small site and would like to grow, so please consider joining our community. We are looking forward to your questions and answers; they are the building blocks of a repository of knowledge we are building together.

Post History

71%
+3 −0
Q&A Understanding OAuth(2) security: what's a realistic threat model?

Threats In my head, there are three main threats, though the OAuth 2 RFC has a whole chapter on the topic. Your questions deal mostly with one of them and slightly with another. Fake login page ...

posted 8mo ago by Michael‭  ·  edited 5mo ago by Michael‭

Answer
#8: Post edited by user avatar Michael‭ · 2024-07-17T16:35:40Z (5 months ago)
Reserve h1 semantic heading for system use
  • # Threats
  • In my head, there are three main threats, though [the OAuth 2 RFC has a whole chapter][rfc-threats] on the topic. Your questions deal mostly with one of them and slightly with another.
  • ### Fake login page
  • You asked some great questions on this. There are several ways[^lookalike][^popup] (not comprehensive) that people are tricked into providing `bar.com` credentials, but with care you can avoid them.
  • ### Granting more access than expected
  • OAuth 2 has ["scopes" for authorizing][rfc-scope] specific access to or actions on `bar.com`. A malicious `foo.com` may ask for more data on you than it strictly needs. This is similar to the old days of Android permissions: "Why does a flashlight app need to read my emails?"
  • ### Identity sharing
  • Both sites now know that you're a member of the other. This is not necessarily more dangerous than signing up with an email, and in some cases exactly equivalent: If `bar.com` is an email provider[^gmail] and you were already going to sign up on `foo.com` with that email, using OAuth probably isn't any worse. (Assuming `foo.com` sends you at least one email that is recognizable as originating from it.)
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: Don't link accounts if you're worried `foo.com` will find all your public friends on `bar.com` and threaten to tell them your nefarious `foo.com` activity.
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`. The `foo.com` site typically sends the current page or a new tab to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine since it's completely the other site.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • That would certainly be fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site by examining the certificate chain and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • At no point are your credentials passed anywhere (except if you signed into `bar.com` to see the interstitial, and only `bar.com` gets those).
  • OAuth2 bolts some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • The flow looks like this: `foo.com` opens a request in your browser to `bar.com` so your existing session is valid. It asks for the scopes it wants. If you approve the scopes in the interstitial, `bar.com` sends you back to `foo.com` with a short-lived code. Then, `foo.com`'s _backend_ issues a request with that code directly to `bar.com` so a user's browser, extensions, and network can't interfere with it. If `bar.com` agrees, it gives `foo.com` a longer-lived token.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. Many sites issue permissions called "scopes" (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^gmail]: I'm looking at you, GMail and Outlook.
  • [^popup]: Sometimes the requesting site opens a popup of `bar.com`, but I don't like that as much. It trains people to click the password field in **a picture that _looks like_ a popup,** complete with fake close buttons, etc., but isn't a popup at all. You can drag the popup out of the main window's frame to make sure it's not rendered by `foo.com`. (Attackers' creativity will never cease to amaze me.)
  • [^lookalike]: Lookalikes can be simple like `B4R.com` or use math or other-alphabet symbols that look the same as the characters in the "normal" trusted URL. Can you spot the Cyrillic letter in `bаr.com`? Many web browsers try to [Punycode][] those characters, but you still want to be careful. Another tactic is the sirnilarity between `rn` and `m`. Did you notice it in the last sentence or read right past it?
  • [rfc-threats]: https://www.rfc-editor.org/rfc/rfc6819#section-4
  • [rfc-scope]: https://www.rfc-editor.org/rfc/rfc6819#section-3.1.1
  • [punycode]: https://en.wikipedia.org/wiki/Punycode
  • ## Threats
  • In my head, there are three main threats, though [the OAuth 2 RFC has a whole chapter][rfc-threats] on the topic. Your questions deal mostly with one of them and slightly with another.
  • ### Fake login page
  • You asked some great questions on this. There are several ways[^lookalike][^popup] (not comprehensive) that people are tricked into providing `bar.com` credentials, but with care you can avoid them.
  • ### Granting more access than expected
  • OAuth 2 has ["scopes" for authorizing][rfc-scope] specific access to or actions on `bar.com`. A malicious `foo.com` may ask for more data on you than it strictly needs. This is similar to the old days of Android permissions: "Why does a flashlight app need to read my emails?"
  • ### Identity sharing
  • Both sites now know that you're a member of the other. This is not necessarily more dangerous than signing up with an email, and in some cases exactly equivalent: If `bar.com` is an email provider[^gmail] and you were already going to sign up on `foo.com` with that email, using OAuth probably isn't any worse. (Assuming `foo.com` sends you at least one email that is recognizable as originating from it.)
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: Don't link accounts if you're worried `foo.com` will find all your public friends on `bar.com` and threaten to tell them your nefarious `foo.com` activity.
  • ## Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`. The `foo.com` site typically sends the current page or a new tab to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine since it's completely the other site.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • That would certainly be fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site by examining the certificate chain and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • At no point are your credentials passed anywhere (except if you signed into `bar.com` to see the interstitial, and only `bar.com` gets those).
  • OAuth2 bolts some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • The flow looks like this: `foo.com` opens a request in your browser to `bar.com` so your existing session is valid. It asks for the scopes it wants. If you approve the scopes in the interstitial, `bar.com` sends you back to `foo.com` with a short-lived code. Then, `foo.com`'s _backend_ issues a request with that code directly to `bar.com` so a user's browser, extensions, and network can't interfere with it. If `bar.com` agrees, it gives `foo.com` a longer-lived token.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. Many sites issue permissions called "scopes" (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^gmail]: I'm looking at you, GMail and Outlook.
  • [^popup]: Sometimes the requesting site opens a popup of `bar.com`, but I don't like that as much. It trains people to click the password field in **a picture that _looks like_ a popup,** complete with fake close buttons, etc., but isn't a popup at all. You can drag the popup out of the main window's frame to make sure it's not rendered by `foo.com`. (Attackers' creativity will never cease to amaze me.)
  • [^lookalike]: Lookalikes can be simple like `B4R.com` or use math or other-alphabet symbols that look the same as the characters in the "normal" trusted URL. Can you spot the Cyrillic letter in `bаr.com`? Many web browsers try to [Punycode][] those characters, but you still want to be careful. Another tactic is the sirnilarity between `rn` and `m`. Did you notice it in the last sentence or read right past it?
  • [rfc-threats]: https://www.rfc-editor.org/rfc/rfc6819#section-4
  • [rfc-scope]: https://www.rfc-editor.org/rfc/rfc6819#section-3.1.1
  • [punycode]: https://en.wikipedia.org/wiki/Punycode
#7: Post edited by user avatar Michael‭ · 2024-04-22T14:44:36Z (8 months ago)
Scopes are explicitly a part of OAuth2
  • # Threats
  • In my head, there are three big threats. Your questions deal mostly with one of them and slightly with another.
  • ### Fake login page
  • You asked some great questions on this. There are several ways[^lookalike][^popup] (not comprehensive) that people are tricked into providing `bar.com` credentials, but with care you can avoid them.
  • ### Granting more access than expected
  • This is not exactly OAuth, but a lot of people associate it with OAuth-like things. A malicious `foo.com` may ask for more data on you than it strictly needs. This is similar to the old days of Android permissions: "Why does a flashlight app need to read my emails?"
  • ### Identity sharing
  • Both sites now know that you're a member of the other. This is not necessarily more dangerous than signing up with an email, and in some cases exactly equivalent: If `bar.com` is an email provider[^gmail] and you were already going to sign up on `foo.com` with that email, using OAuth probably isn't any worse. (Assuming `foo.com` sends you at least one email that is recognizable as originating from it.)
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: Don't link accounts if you're worried `foo.com` will find all your public friends on `bar.com` and threaten to tell them your nefarious `foo.com` activity.
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends the current page or a new tab to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine since it's completely the other site.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • That would certainly be fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site by examining the certificate chain and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.
  • Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^gmail]: I'm looking at you, GMail and Outlook.
  • [^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much. It trains people to click the password field in **a picture that _looks like_ a popup,** complete with fake close buttons, etc., but really isn't a popup at all. You can drag the popup out of the main window's frame to make sure it's not rendered by `foo.com`. (Attackers' creativity will never cease to amaze me.)
  • [^lookalike]: Lookalikes can be simple like `B4R.com` or use math or other-alphabet symbols that look the same as the characters in the "normal" trusted URL. Can you spot the Cyrillic letter in `bаr.com`? Many web browsers try to [Punycode][] those characters, but you still want to be careful. Another tactic is the sirnilarity between `rn` and `m`. Did you notice it in the last sentence or read right past it?
  • [punycode]: https://en.wikipedia.org/wiki/Punycode
  • # Threats
  • In my head, there are three main threats, though [the OAuth 2 RFC has a whole chapter][rfc-threats] on the topic. Your questions deal mostly with one of them and slightly with another.
  • ### Fake login page
  • You asked some great questions on this. There are several ways[^lookalike][^popup] (not comprehensive) that people are tricked into providing `bar.com` credentials, but with care you can avoid them.
  • ### Granting more access than expected
  • OAuth 2 has ["scopes" for authorizing][rfc-scope] specific access to or actions on `bar.com`. A malicious `foo.com` may ask for more data on you than it strictly needs. This is similar to the old days of Android permissions: "Why does a flashlight app need to read my emails?"
  • ### Identity sharing
  • Both sites now know that you're a member of the other. This is not necessarily more dangerous than signing up with an email, and in some cases exactly equivalent: If `bar.com` is an email provider[^gmail] and you were already going to sign up on `foo.com` with that email, using OAuth probably isn't any worse. (Assuming `foo.com` sends you at least one email that is recognizable as originating from it.)
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: Don't link accounts if you're worried `foo.com` will find all your public friends on `bar.com` and threaten to tell them your nefarious `foo.com` activity.
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`. The `foo.com` site typically sends the current page or a new tab to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine since it's completely the other site.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • That would certainly be fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site by examining the certificate chain and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • At no point are your credentials passed anywhere (except if you signed into `bar.com` to see the interstitial, and only `bar.com` gets those).
  • OAuth2 bolts some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • The flow looks like this: `foo.com` opens a request in your browser to `bar.com` so your existing session is valid. It asks for the scopes it wants. If you approve the scopes in the interstitial, `bar.com` sends you back to `foo.com` with a short-lived code. Then, `foo.com`'s _backend_ issues a request with that code directly to `bar.com` so a user's browser, extensions, and network can't interfere with it. If `bar.com` agrees, it gives `foo.com` a longer-lived token.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. Many sites issue permissions called "scopes" (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^gmail]: I'm looking at you, GMail and Outlook.
  • [^popup]: Sometimes the requesting site opens a popup of `bar.com`, but I don't like that as much. It trains people to click the password field in **a picture that _looks like_ a popup,** complete with fake close buttons, etc., but isn't a popup at all. You can drag the popup out of the main window's frame to make sure it's not rendered by `foo.com`. (Attackers' creativity will never cease to amaze me.)
  • [^lookalike]: Lookalikes can be simple like `B4R.com` or use math or other-alphabet symbols that look the same as the characters in the "normal" trusted URL. Can you spot the Cyrillic letter in `bаr.com`? Many web browsers try to [Punycode][] those characters, but you still want to be careful. Another tactic is the sirnilarity between `rn` and `m`. Did you notice it in the last sentence or read right past it?
  • [rfc-threats]: https://www.rfc-editor.org/rfc/rfc6819#section-4
  • [rfc-scope]: https://www.rfc-editor.org/rfc/rfc6819#section-3.1.1
  • [punycode]: https://en.wikipedia.org/wiki/Punycode
#6: Post edited by user avatar Michael‭ · 2024-04-19T20:20:25Z (8 months ago)
Better threat section
  • # Threats
  • In my head, there are three big threats. Your questions deal mostly with one of them and slightly with another.
  • 1. **Fake login page.**
  • - You asked some great questions on this. People get tripped up if they're not careful.
  • 2. **Granting more access than expected.**
  • - This is not exactly OAuth, but a lot of people associate it with OAuth-like things.
  • 3. **Both sites now know that you're a member of the other.**
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: if you don't want `foo.com` to find all your public friends on `bar.com` and threaten to tell them your `foo.com` activity, don't link accounts.
  • - If `bar.com` is an email provider[^gmail] and you were already going to sign up on `foo.com` with that email, using OAuth probably isn't any worse. (Assuming `foo.com` sends you at least one email that is recognizable as originating from it.)
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends you to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • It's certainly fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site with the certificate and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.
  • Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^gmail]: I'm looking at you, GMail and Outlook.
  • [^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much. It trains people to click the password field in **a picture that _looks like_ a popup,** complete with fake close buttons, etc., but really isn't a popup at all. You can drag the popup out of the main window's frame to make sure it's not rendered by `foo.com`. (Attackers' creativity will never cease to amaze me.)
  • [^lookalike]: Lookalikes can be simple like `B4R.com` or use math or other-alphabet symbols that look the same as the characters in the "normal" trusted URL. Can you spot the Cyrillic letter in `bаr.com`? Many web browsers try to [Punycode][] those characters, but you still want to be careful. Another tactic is the sirnilarity between `rn` and `m`. Did you notice it in the last sentence or read right past it?
  • [punycode]: https://en.wikipedia.org/wiki/Punycode
  • # Threats
  • In my head, there are three big threats. Your questions deal mostly with one of them and slightly with another.
  • ### Fake login page
  • You asked some great questions on this. There are several ways[^lookalike][^popup] (not comprehensive) that people are tricked into providing `bar.com` credentials, but with care you can avoid them.
  • ### Granting more access than expected
  • This is not exactly OAuth, but a lot of people associate it with OAuth-like things. A malicious `foo.com` may ask for more data on you than it strictly needs. This is similar to the old days of Android permissions: "Why does a flashlight app need to read my emails?"
  • ### Identity sharing
  • Both sites now know that you're a member of the other. This is not necessarily more dangerous than signing up with an email, and in some cases exactly equivalent: If `bar.com` is an email provider[^gmail] and you were already going to sign up on `foo.com` with that email, using OAuth probably isn't any worse. (Assuming `foo.com` sends you at least one email that is recognizable as originating from it.)
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: Don't link accounts if you're worried `foo.com` will find all your public friends on `bar.com` and threaten to tell them your nefarious `foo.com` activity.
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends the current page or a new tab to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine since it's completely the other site.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • That would certainly be fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site by examining the certificate chain and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.
  • Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^gmail]: I'm looking at you, GMail and Outlook.
  • [^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much. It trains people to click the password field in **a picture that _looks like_ a popup,** complete with fake close buttons, etc., but really isn't a popup at all. You can drag the popup out of the main window's frame to make sure it's not rendered by `foo.com`. (Attackers' creativity will never cease to amaze me.)
  • [^lookalike]: Lookalikes can be simple like `B4R.com` or use math or other-alphabet symbols that look the same as the characters in the "normal" trusted URL. Can you spot the Cyrillic letter in `bаr.com`? Many web browsers try to [Punycode][] those characters, but you still want to be careful. Another tactic is the sirnilarity between `rn` and `m`. Did you notice it in the last sentence or read right past it?
  • [punycode]: https://en.wikipedia.org/wiki/Punycode
#5: Post edited by user avatar Michael‭ · 2024-04-19T20:09:14Z (8 months ago)
More footnote content demonstrating attacks.
  • # Editorial
  • In my head, there are three big threats, and your questions deal with one of them.
  • 1. **Fake login page.**
  • - Excellent question. People get tripped up on this.
  • 2. **Granting more access than expected.**
  • - This is not exactly OAuth, but a lot of people associate it with OAuth-like things.
  • 3. **Both sites now know that you're a member of the other.**
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: if you don't want `foo.com` to find all your public friends on `bar.com` and threaten to tell them your `foo.com` activity, don't link accounts.
  • - If `bar.com` is an email provider[^gmail] and you were already going to sign up on `foo.com` with that email, using OAuth probably isn't any worse. (Assuming `foo.com` sends you at least one email that is recognizable as originating from it.)
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends you to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • It's certainly fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site with the certificate and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.
  • Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^gmail]: I'm looking at you, GMail.
  • [^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much. You could be training people to click the password field in a picture that _looks like_ a popup complete with fake close buttons, etc., but really isn't a popup at all.
  • [^lookalike]: `b4r.com` or worse: math or other-alphabet (Cyrillic?) symbols that look the same as the characters in the "normal" trusted URL.
  • # Threats
  • In my head, there are three big threats. Your questions deal mostly with one of them and slightly with another.
  • 1. **Fake login page.**
  • - You asked some great questions on this. People get tripped up if they're not careful.
  • 2. **Granting more access than expected.**
  • - This is not exactly OAuth, but a lot of people associate it with OAuth-like things.
  • 3. **Both sites now know that you're a member of the other.**
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: if you don't want `foo.com` to find all your public friends on `bar.com` and threaten to tell them your `foo.com` activity, don't link accounts.
  • - If `bar.com` is an email provider[^gmail] and you were already going to sign up on `foo.com` with that email, using OAuth probably isn't any worse. (Assuming `foo.com` sends you at least one email that is recognizable as originating from it.)
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends you to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • It's certainly fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site with the certificate and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.
  • Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^gmail]: I'm looking at you, GMail and Outlook.
  • [^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much. It trains people to click the password field in **a picture that _looks like_ a popup,** complete with fake close buttons, etc., but really isn't a popup at all. You can drag the popup out of the main window's frame to make sure it's not rendered by `foo.com`. (Attackers' creativity will never cease to amaze me.)
  • [^lookalike]: Lookalikes can be simple like `B4R.com` or use math or other-alphabet symbols that look the same as the characters in the "normal" trusted URL. Can you spot the Cyrillic letter in `bаr.com`? Many web browsers try to [Punycode][] those characters, but you still want to be careful. Another tactic is the sirnilarity between `rn` and `m`. Did you notice it in the last sentence or read right past it?
  • [punycode]: https://en.wikipedia.org/wiki/Punycode
#4: Post edited by user avatar Michael‭ · 2024-04-19T19:21:06Z (8 months ago)
GMail
  • # Editorial
  • In my head, there are three big threats, and your questions deal with one of them.
  • 1. **Fake login page.**
  • - Excellent question. People get tripped up on this.
  • 2. **Granting more access than expected.**
  • - This is not exactly OAuth, but a lot of people associate it with OAuth-like things.
  • 3. **Both sites now know that you're a member of the other.**
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: if you don't want `foo.com` to find all your public friends on `bar.com` and threaten to tell them your `foo.com` activity, don't link accounts.
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends you to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • It's certainly fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site with the certificate and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.
  • Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much. You could be training people to click the password field in a picture that _looks like_ a popup complete with fake close buttons, etc., but really isn't a popup at all.
  • [^lookalike]: `b4r.com` or worse: math or other-alphabet (Cyrillic?) symbols that look the same as the characters in the "normal" trusted URL.
  • # Editorial
  • In my head, there are three big threats, and your questions deal with one of them.
  • 1. **Fake login page.**
  • - Excellent question. People get tripped up on this.
  • 2. **Granting more access than expected.**
  • - This is not exactly OAuth, but a lot of people associate it with OAuth-like things.
  • 3. **Both sites now know that you're a member of the other.**
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: if you don't want `foo.com` to find all your public friends on `bar.com` and threaten to tell them your `foo.com` activity, don't link accounts.
  • - If `bar.com` is an email provider[^gmail] and you were already going to sign up on `foo.com` with that email, using OAuth probably isn't any worse. (Assuming `foo.com` sends you at least one email that is recognizable as originating from it.)
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends you to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • It's certainly fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site with the certificate and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.
  • Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^gmail]: I'm looking at you, GMail.
  • [^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much. You could be training people to click the password field in a picture that _looks like_ a popup complete with fake close buttons, etc., but really isn't a popup at all.
  • [^lookalike]: `b4r.com` or worse: math or other-alphabet (Cyrillic?) symbols that look the same as the characters in the "normal" trusted URL.
#3: Post edited by user avatar Michael‭ · 2024-04-19T19:15:48Z (8 months ago)
  • # Editorial
  • In my head, there are three big threats, and your questions deal with one of them.
  • 1. **Fake login page.**
  • - Excellent question. People get tripped up on this.
  • 2. **Granting more access than expected.**
  • - This is not exactly OAuth, but a lot of people associate it with OAuth-like things.
  • 3. **Both sites now know that you're a member of the other.**
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: if you don't want `foo.com` to find all your public friends on `bar.com` and blackmail you over them, don't link accounts.
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends you to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • It's certainly fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site with the certificate and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.
  • Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much. You could be training people to click the password field in a picture that _looks like_ a popup complete with fake close buttons, etc., but really isn't a popup at all.
  • [^lookalike]: `b4r.com` or worse: math or other-alphabet (Cyrillic?) symbols that look the same as the characters in the "normal" trusted URL.
  • # Editorial
  • In my head, there are three big threats, and your questions deal with one of them.
  • 1. **Fake login page.**
  • - Excellent question. People get tripped up on this.
  • 2. **Granting more access than expected.**
  • - This is not exactly OAuth, but a lot of people associate it with OAuth-like things.
  • 3. **Both sites now know that you're a member of the other.**
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: if you don't want `foo.com` to find all your public friends on `bar.com` and threaten to tell them your `foo.com` activity, don't link accounts.
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends you to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • It's certainly fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site with the certificate and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.
  • Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much. You could be training people to click the password field in a picture that _looks like_ a popup complete with fake close buttons, etc., but really isn't a popup at all.
  • [^lookalike]: `b4r.com` or worse: math or other-alphabet (Cyrillic?) symbols that look the same as the characters in the "normal" trusted URL.
#2: Post edited by user avatar Michael‭ · 2024-04-19T19:14:24Z (8 months ago)
Threat model
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends you to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • It's certainly fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site with the certificate and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.
  • Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much.
  • [^lookalike]: `b4r.com` or worse: math or other-alphabet (Cyrillic?) symbols that look the same as the characters in the "normal" trusted URL.
  • # Editorial
  • In my head, there are three big threats, and your questions deal with one of them.
  • 1. **Fake login page.**
  • - Excellent question. People get tripped up on this.
  • 2. **Granting more access than expected.**
  • - This is not exactly OAuth, but a lot of people associate it with OAuth-like things.
  • 3. **Both sites now know that you're a member of the other.**
  • - If you don't want Microsoft to know that you have an account on `embarrassingphotos.example.com`, don't "Sign in with GitHub" to it.
  • - Also vice versa: if you don't want `foo.com` to find all your public friends on `bar.com` and blackmail you over them, don't link accounts.
  • # Questions
  • I skipped one of your questions that I think is a duplicate of another one. If you can articulate the difference, I can try to address it.
  • > - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?
  • The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends you to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine.
  • > - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?
  • It's certainly fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site with the certificate and verifying that it's not using lookalike characters[^lookalike] in the domain.
  • > - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?
  • Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.
  • Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.
  • > - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?
  • You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.
  • Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).
  • > - Could `foo.com` ever gain the ability to modify my `bar.com` account information?
  • Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.
  • > - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?
  • I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly without your input.
  • If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.
  • [^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much. You could be training people to click the password field in a picture that _looks like_ a popup complete with fake close buttons, etc., but really isn't a popup at all.
  • [^lookalike]: `b4r.com` or worse: math or other-alphabet (Cyrillic?) symbols that look the same as the characters in the "normal" trusted URL.
#1: Initial revision by user avatar Michael‭ · 2024-04-19T18:56:13Z (8 months ago)
> - If I am not already logged in at `bar.com`, I should always log in separately before attempting to authenticate, correct? There is no way that `foo.com` can provide me with a login window and prove to me that it's secure (i.e., that they aren't MITMing me)?

The login window is from `bar.com`, the Identity Provider (IdP). The `foo.com` site typically sends you to `bar.com` to do the sign-in.[^popup] You do need to make sure that it's not sending you to a lookalike URL,[^lookalike] but the certificate should all be fine.

> - Similarly, if I believe I'm logged in at `bar.com` already, but trying the `foo.com` authentication link gives me a login form, I should reject this and treat it as a phishing attempt, correct?

It's certainly fishy, but it's the same situation as above. You _should_ be able to tell that you're on the right site with the certificate and verifying that it's not using lookalike characters[^lookalike] in the domain.

> - When I give `bar.com` permission to authenticate me to `foo.com`, how do I know that this won't compromise my `bar.com` login? What information is actually communicated per the OAuth protocol?

Sorry for non-technical description. For straight OAuth, it's basically "I'm `bar.com`, and I vouch that the person is Identity `X` to me." It does not send any part of your authentication to `bar.com`, just a confirmation that you exist as an account there.

Lots of sites bolt some _authorization_ on top of the _authentication,_ which lets them also say "and here is the list of things my user says you can ask from their account and/or do to their account." In those cases, `foo.com` has to ask for the permissions, and `bar.com` shows them to you to grant or deny. Some sites may allow you to choose which things to grant. Some may just let you accept/reject the whole slate. If `foo.com` asks for things you didn't expect, maybe it's not a service you should trust.

> - When I give such permission, typically `bar.com` will warn me that `foo.com` wants permission to access (or know) certain information about my `bar.com` account. How can I be sure that only that information is being transmitted?

You don't, really. You can make your own requesting site, though, and see that it really does only give you the things that you agreed to on `bar.com`.

Like any software, it _can_ do all sorts of things, and they _can_ be unsafe. And since it's a website, the software can change at any time. All of this is incumbent on `bar.com` not doing the wrong thing, though. None of it depends on `foo.com` (though you hope `foo.com` doesn't leak data either).

> - Could `foo.com` ever gain the ability to modify my `bar.com` account information?

Yes. See above. I don't think it's strictly a part of OAuth, but many sites basically issue permissions (that it asks _you_ about, on first registration), to do things like load your profile picture or integrate with your calendar on `bar.com`. Or it can wait and ask (with a new interstitial) for permission to do that later, after your first registration.

> - Could it happen that the authentication appears to just work without me giving consent on a `bar.com` interstitial? If that happened, what should I do?

I wouldn't expect that the first time, but as above: software _can_ do anything, so `bar.com` _could_ do that. After the first registration, yes, I'd expect it to bounce between `foo` -> `bar` -> `foo` when you load up a `foo.com` page, and do all that seamlessly.

If it happened the first time you registered (or if you revoked `foo.com` access), I'd complain to the owners of `bar.com`. That would be a security hole in their site.



[^popup]: Sometimes the requesting site opens a popup of the IdP, but I don't like that as much.
[^lookalike]:  `b4r.com` or worse: math or other-alphabet (Cyrillic?) symbols that look the same as the characters in the "normal" trusted URL.