Page MenuHomePhabricator

Force HTTPS for /token if the Consumer is not using an RSA key
Closed, ResolvedPublic

Description

We currently don't require HTTPS for the consumer to get the authorization token. The auth token's secret is combined with the consumer's secret for an HMAC signature, so part of the signing key would be known to an attacker if they can sniff this traffic.

rfc5849 - 2.3 says that:

Since the request results in the transmission of plain text
credentials in the HTTP response, the server MUST require the use of
a transport-layer mechanism such as TLS or SSL (or a secure channel
with equivalent protections).

However, if the Consumer is using an RSA key, then the authorization token's secret isn't used, so the security isn't affected by not using SSL for the /token call.


Version: master
Severity: normal

Details

Reference
bz54110

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:14 AM
bzimport set Reference to bz54110.
csteipp created this task.Sep 14 2013, 12:24 AM

(In reply to comment #0)

However, if the Consumer is using an RSA key, then the authorization token's
secret isn't used, so the security isn't affected by not using SSL for the
/token call.

What about the token credentials returned in the response? Those are still plain text.

Change 85218 had a related patch set uploaded by Anomie:
Use HTTPS for Special:MWOAuth/token

https://gerrit.wikimedia.org/r/85218

Change 85218 merged by jenkins-bot:
Use HTTPS for Special:MWOAuth/token

https://gerrit.wikimedia.org/r/85218

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM