W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: [oauth] OAuth and HTTP proxies

From: George Fletcher <gffletch@aol.com>
Date: Tue, 10 Mar 2009 15:08:12 +0000
Message-ID: <49B6822A.1050002@aol.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "oauth@ietf.org" <oauth@ietf.org>
I checked and both Host and Authorization MUST be passed through 
unchanged by proxies. So from a signature perspective that will work 
fine for HTTP 1.1 requests (as they require the presence of the Host 
header). For proxies that accept HTTP 1.0 requests, they SHOULD add the 
Host header based on the received hostname:port in the proxied URI. 
Given that the hostname:port values must be normalized before being 
added to the SBS, this should not break the signature by the downstream 
service.

One issue with OAuth and proxies is that the responses are not signed. 
So while the request to the "server" is protected, the response from the 
server is not. This means that all responses are subject to MITM attacks 
by the proxies. If response signing is added, then proxies can also 
change the content encoding of the response, so all content "decoding" 
must be done before processing the entity body to construct the SBS.

Thanks,
George

Eran Hammer-Lahav wrote:
> Can someone please review the OAuth spec [1], in particular section 3.3.1.3, to help determine if the way OAuth signs requests is compatible with HTTP proxies?
>
> OAuth signs the request URI based on either the content of the Host header or the actual hostname and port used to make the request. It was written with total disregard to proxies and caches. I am trying to find out if it breaks or breaks something else.
>
> EHL
>
> [1] http://tools.ietf.org/html/draft-hammer-oauth-01
>
> _______________________________________________
> oauth mailing list
> oauth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>   
Received on Tuesday, 10 March 2009 15:30:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:01 GMT