DPoP Attacker Model

Misconfigured Resource Endpoint
Compromised/Malicious Resource Server
Stolen Token (XSS)
XSS (Victim is Online)
Precomputed Proofs
Exfiltration from Otherwise Secure Channel

This document outlines attacker models considered for DPoP.

Note: DPoP is still an IETF working group draft. This is not a normative document and the final attacker model for DPoP might look different to the one presented here!

Disclaimer: This document discusses theoretical or practical attacks on OAuth or OpenID Connect. Nonetheless, both standards can be used securely as shown by, among others, formal analyses. With the appropriate security mechanisms, both are even suitable for high-risk environments. As with any security protocol, a careful evaluation of potential threats and the required security mechanisms is indispensable when designing a solution based on OAuth/OpenID Connect.

Misconfigured Resource Endpoint

A resource endpoint is misconfigured. For example, if OAuth Metadata is used, the following configuration can lead to the userinfo endpoint being under the control of the attacker:

{
    "issuer": "https://attacker.com",
    "authorization_endpoint": "https://honest.com/authorize",
    "token_endpoint": "https://honest.com/token",
    "userinfo_endpoint": "https://attacker.com/userinfo"
}

Note that the userinfo endpoint points to an attacker-controlled site.

Attack:

Compromised/Malicious Resource Server

One of multiple resource servers can become compromised or act maliciously for other reasons.

If TLS termination is done at a separate component at the resource server, that component can become compromised, for example by exploting a buffer overflow attack in the reverse proxy:

Stolen Token (XSS)

An attacker can leverage an XSS attack to exfiltrate the access token from a single page application. The attacker then tries to use the token. It is not required that the victim is still online for this attack.

XSS (Victim is Online)

If a user’s browser is online and an attacker has injected JavaScript code into the client’s SPA, the attacker can use the token without exfiltrating it first. There is most likely no defense against this threat except preventing XSS.

Note: It is in general hard or impossible to defend against this threat. It should therefore be considered out of the scope of DPoP.

Precomputed Proofs

If the attacker is able to precompute DPoP tokens, or is able to exfiltrate the secret key needed for generating DPoP proofs along with the access token, DPoP does not protect the access token if no server-generated nonce is used in the proof.

Recommendation: Requiring/allowing for a server-sent nonce via the WWW-Authenticate header would improve the security of DPoP.

Exfiltration from Otherwise Secure Channel

Attacks on TLS might allow for the recovery of strings in encrypted messages that are repeated in multiple messages. One example would be the BREACH attacks against HTTP compression.

Update 1: Added the correct variant of Online XSS; renamed the one that was previously there to “Precomputed proofs”; added “Exfiltration from Otherwise Secure Channel”. Thanks, Neil!

danielfett.de