elarlang
commented
5 months ago Thank you @TobiasAhnoff for your input!
It is a nice "validation round", do we have pointed out proposals and requirements covered in one way or another in the ASVS.
A general point of view - OAuth is "logic" based on a list of other technologies, and if some requirement is clearly related to the underlying technology, it should be covered there.
proposal 1
1 Verify that AS is built using hardened secure libraries, products or services (implemented according to BCPs)
Not OAuth specific, covered by section V14.1 Build and Deploy
proposal 2
2 Verify that JWTs are verified by RS using a secure hardened library
Not OAuth specific, covered by section V3.4 Cookie-based Session Management.
One option is to move JWT part away from session management, but this discussion you can follow in the issue https://github.com/OWASP/ASVS/issues/1917
proposal 3
3 Verify that client configuration asserts least privilege (e g scopes and flows)
This is something to address. How much detail or level of abstract we can use, is good question.
I opened the same topic in https://github.com/OWASP/ASVS/issues/1916 "Discussion/Proposal 2". Probably it makes sense to open a separate issue for this to keep the focus.
edit: I opened separate issue: https://github.com/OWASP/ASVS/issues/1964 - if it matches with your problem statement, we can move discussion there, if it does not, then we handle it separately.
proposal 4
4 Verify that only access-tokens are used for authorization by the RS (not id-tokens or other kinds of tokens)
Not OAuth specific, general JWT.
I think we should add typ (RFC7519) to this requirement:
| # | Description | L1 | L2 | L3 | CWE | NIST § |
|---|---|---|---|---|---|---|
| 3.5.6 | [ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience. | ✓ | ✓ | ✓ | 287 |
Also note, that the access token does not need to be a JWT. First random response from related search
proposal 5
5 Verify that AS singing keys are rotated according to threat model
I don't think it is OAuth specific. I'm not sure we have it addressed, need to anaylze chapters:
... but those are in the authentication section.
proposal 6
6 Verify that AS and clients supports client-secret rotation (at least manually)
Manually it is anyway doable. How do you verify that or what the requirement gives extra?
proposal 7
7 Verify that refresh-tokens expires according to threat model and business requirements
The refresh_token topic requires more attention. But there is more than one point of view.
It is different attitude, is the OAuth used as first-party or 3rd party solution. For the first-party and "session management replacement" (which should be disallowed or not recommended) I would say we can apply V3.3 Session Timeout and V3.8 Session Termination requirements.
| # | Description | L1 | L2 | L3 | CWE | NIST § |
|---|---|---|---|---|---|---|
| 3.3.2 | [MODIFIED, SPLIT TO 3.3.5] Verify that there is an absolute maximum session lifetime such that re-authentication is required at least every 30 days for L1 applications or every 12 hours for L2 and L3 applications. | ✓ | ✓ | ✓ | 613 | 7.2 |
For 3rd party solution, we have a requirement currently located in 3.5.1 (it is subject to change via https://github.com/OWASP/ASVS/issues/1917#issuecomment-2027058608)
| # | Description | L1 | L2 | L3 | CWE | NIST § |
|---|---|---|---|---|---|---|
| 3.5.1 | [GRAMMAR] Verify that the application allows users to revoke OAuth tokens that form trust relationships with linked applications. | ✓ | ✓ | 290 | 7.1.2 |
I think we need to be really precise, about what architecture and solution we address with the requirement.
One extra issue to cover with the refresh_token topic expiration is that with new refresh_token the AS must keep the exp value like it was before (and not extend it).
proposal 8
8 Verify that access and refresh tokens are not accessible by Javascript
It requires quite a strong change to widespread attitude, as with using SPA architecture, often the browser uses directly OAuth service, including token endpoint.
I have addressed the same topic in the issue https://github.com/OWASP/ASVS/issues/1916 "Discussion/Proposal 1"
edit: I opened separate issue: https://github.com/OWASP/ASVS/issues/1963
proposal 9
9 Verify that only strong asymmetric signing keys are used
Can you find the matching requirement from [V6 Stored Cryptography](V6 Stored Cryptography)?
proposal 10
10 Verify recommendations for OAuth2 from https://oauth.net/2.1/ and OIDC FAPI 2.0 from https://openid.net/wg/fapi/specifications/ according to your threat model and business requirements.
Yes, with many requirements we took the direction of that style. We could save months of @csfreak92 time :) But now we are here and we go with the list of OAuth-related requirements to v5.0.
Before any further action (open mentioned separate issues) I wait "first wave" of feedback :)
csfreak92
TobiasAhnoff
There are of course many candidates, it is hard to summarize all relevant OAuth and OIDC specs in just a small set of verifications for V51 OAuth.
Here are a few suggestions on some more general verifications that, based on my experience with security reviews and penetration tests, would be interesting to discuss (maybe add as individual items with motivation etc, if that would be a good way to contribute):
(edit: added numbers for organizing the feedback)
Perhaps even have a general verification that simply states: 10 Verify recommendations for OAuth2 from https://oauth.net/2.1/ and OIDC FAPI 2.0 from https://openid.net/wg/fapi/specifications/ according to your threat model and business requirements.
Or just recommend to follow this guidance in the in the text before the verifications (not expressing this as a verification).