Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token revocation uses wrong authorization method #875

Closed
jclem opened this issue Aug 12, 2016 · 7 comments
Closed

Token revocation uses wrong authorization method #875

jclem opened this issue Aug 12, 2016 · 7 comments

Comments

@jclem
Copy link
Contributor

jclem commented Aug 12, 2016
edited
Loading

The OAuth 2.0 Token Revocation spec states that when revoking a token, "the client also includes its authentication credentials as described in Section 2.3. of [RFC6749]".

The spec's example request for revocation looks like this:

POST /revoke HTTP/1.1
     Host: server.example.com
     Content-Type: application/x-www-form-urlencoded
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

     token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token

Note the HTTP Basic authentication, not Bearer. The spec goes on to say that the authorization server "first validates the client credentials (in case of a confidential client) and then verifies whether the token was issued to the client making the revocation request. If this validation fails, the request is refused and the client is informed of the error by the authorization server as described below".

It appears as though Doorkeeper instead authorizes the request using HTTP Bearer with an access token, even though a code comment seems to imply otherwise.
@tute
Copy link
Contributor

tute commented Aug 13, 2016

Thank you for reporting. This has been reported by @f3ndot too, and we are now working on it. Thanks!

@jclem
Copy link
Contributor Author

jclem commented Aug 13, 2016

You're welcome, and thank you for maintaining Doorkeeper!

@f3ndot
Copy link
Contributor

f3ndot commented Aug 13, 2016
edited
Loading

This issue has been assigned CVE-2016-6582 as properly authenticated confidential clients will not have their token revoked, with no error from Doorkeeper to indicate otherwise.

@tute and myself have been coordinating a fix as this also affects public, non-confidential clients as well.

@f3ndot
Copy link
Contributor

f3ndot commented Aug 13, 2016
edited
Loading

The security implication is: clients who "log out" a user expect to have the corresponding access & refresh tokens revoked, preventing an attacker who may have already hijacked the session from continuing to impersonate the victim. Because of this bug, this is not the case. As far as MITRE and OWASP are concerned this counts as broken authentication design.

Unless I'm mistaken, all clients (public or confidential) that send well-formed, RFC 7009 compliant requests are affected by this bug. All versions of Doorkeeper that have supported this feature (1.2.0 and later) are affected by this bug.

@tute tute closed this as completed in fb93805 Aug 18, 2016
@tute
Copy link
Contributor

tute commented Aug 18, 2016

Thank you both!

@f3ndot
Copy link
Contributor

f3ndot commented Aug 19, 2016

Added an advisory entry to rubysec/ruby-advisory-db#268

@f3ndot
Copy link
Contributor

f3ndot commented Aug 19, 2016

Findings published: http://seclists.org/oss-sec/2016/q3/332

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tute @jclem @f3ndot