These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
 

OAuth2 - Did I get that right? (Risk of credentials)

First post
Author
Previous Topic Next Topic
Liu Ellens
Sebiestor Tribe
Minmatar Republic
#1 - 2012-03-25 20:17:14 UTC  |  Edited by: Liu Ellens
Although I sat there in most of the devtrack's sessions/round-tables it kind of needs apparently two nights until some thought settles (no alcohol was involved).

First a clarification if I got this right:
1. (Web)App wants to get the permission to do X for user Y
2. To authenticate user Y, the app forwards the user to the OAuth2 page, hosted on CCPs server, and provides a callback to the app when done
3. User enters credentials on CCPs server, gets validated and then forwarded to the callback page with a token
4. Callback page extracts piggyback token from request, which allows to perform X further down the line

Assuming this is (roughly) the sequence, then my question:
How do I, as a user, know for sure that this popup that says "Hello, I'm Blue - give me your user & password" is actually CCPs page?
I'm not thinking about online man-in-the-middle attack, I'm thinking about a shady app that provides a login popup looking just like the actual one.

(Either I've got a hunch there or need the proper pointer to this OAuth2 magic - no hex values please)

Well, they oughta know what to do with them hogs out there for shure.
CCP Necrogoat
C C P
C C P Alliance
#2 - 2012-03-26 09:43:22 UTC
You'll know it's legitimate because it's an https connection serving a page from an official CCP domain. This may be a problem for the unwary though, and protecting against this kind of attack is definitely on our radar.

Software Engineer | Team Shapeset
Shellac Brookdale
Cutting Edge Incorporated
#3 - 2012-03-26 10:06:11 UTC
Fishing user credentials from faked websites isnt really an oauth specific problem. Users need to pay attention to the domain name as CCP Necrogoat mentioned.

What I'm more worried about is if this is going to replace the API keys system for CREST access?

Using OAuth and being able to ask the user for specific permissions is fine. But how is this going to work for scheduled tasks once the token expired?
CCP Necrogoat
C C P
C C P Alliance
#4 - 2012-03-26 10:18:47 UTC
I think the SSO dudes were talking about using refresh tokens for non-web applications: http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-1.5

Software Engineer | Team Shapeset
Liu Ellens
Sebiestor Tribe
Minmatar Republic
#5 - 2012-03-26 11:16:40 UTC
CCP Necrogoat wrote:
You'll know it's legitimate because it's an https connection serving a page from an official CCP domain. This may be a problem for the unwary though, and protecting against this kind of attack is definitely on our radar.

Ok, that I got and I'm fine with that so far - But I was also under the impression that this "login" sequence would also be possible by showing the login page within a popup widget (e.g. iframe) that does not have the browser window frame or address bar, from which I can derive the HTTPS status to the official domain.

So, in essence, I (and any other) need to be trimmed to use only apps that do the login via a full redirect to the official page.

Well, they oughta know what to do with them hogs out there for shure.
CCP Hermaur
C C P
C C P Alliance
#6 - 2012-03-26 11:43:51 UTC
CCP Necrogoat wrote:
I think the SSO dudes were talking about using refresh tokens for non-web applications: http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-1.5


That's right. In fact, as long as your application is using the Authorization Code flow (http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-4.1) and has a way of storing the refresh tokens, you can use them to request additional access tokens without involving the user.

Web developer | Team GForce
Shellac Brookdale
Cutting Edge Incorporated
#7 - 2012-03-26 14:11:55 UTC
Sounds pretty cool. In this context it would also make alot of sense to have an official app directoy and generate a unique client id for each app. This would allow you to keep track of all apps used by a given user and offer a way to revoke refresh tokens at some point.
CCP Necrogoat
C C P
C C P Alliance
#8 - 2012-03-26 14:55:34 UTC
This is exactly what we're planning to do :)

Software Engineer | Team Shapeset