<div dir="ltr">here u have more info about it<div><br></div><div><a href="http://seclab.stanford.edu/websec/csrf/csrf.pdf">http://seclab.stanford.edu/websec/csrf/csrf.pdf</a><br></div><div><br></div><div><b>To defend against these attacks, the Relying Party should
generate a fresh nonce at the start of the protocol, store the
nonce in the browser’s cookie store and include the nonce in
the return_to parameter of the OpenID protocol. Upon receiving
a positive identity assertion from the user’s Identity
Provider, the Replying Party should validate that the nonce
included in the return_to URL matches the nonce stored
the cookie store. This defense is similar to the secret token
validation technique and ensures that the OpenID protocol
session completes on the same browser as it began.</b> <br></div><div><br></div><div>regards</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 21, 2015 at 12:08 PM, Sebastian Marcet <span dir="ltr"><<a href="mailto:sebastian@tipit.net" target="_blank">sebastian@tipit.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">hi Vlad, one thing that you could implement is to pass a "state" query string param on value <span style="color:rgb(0,0,0);font-family:verdana,charcoal,helvetica,arial,sans-serif">openid.return_to and associate it to use session, once u return back to RP, the state param would be returned also and you could check against it to prevent this kind of attacks</span><div><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif"><br></font></div><div><font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif">regards<br></font><div><div><br></div><div><br></div></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 21, 2015 at 11:28 AM, Vladislav Kuzmin <span dir="ltr"><<a href="mailto:vkuzmin@mirantis.com" target="_blank">vkuzmin@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Jimmy,<br><br></div><div>Thanks a lot for your efforts!<br><br></div>But how we can verify that data from OpenID endpoint received<span lang="en"><span></span> <span>from an <a href="http://openstackid.org" target="_blank">openstackid.org</a> endpoint</span> <span>rather than</span> <span>from somewhere else?</span></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 20, 2015 at 8:20 PM, Jimmy Mcarthur <span dir="ltr"><<a href="mailto:jimmy@tipit.net" target="_blank">jimmy@tipit.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">Sergey,<br>
<br>
Great news! Thanks for the update on OpenID. <br>
<br>
Our other question is around the workflow for the Authorization tokens.
It seems like you're bypassing oAuth2 on OpenStackID in order to manage
the authorization on the refstack client. Why not utilize OpenStackID
for both openid and oAuth2? Basically create the authorization tokens on
the OpenStackID side and create your own resources server as gatekeeper
of you API and validate oauth2 tokens against introspection endpoint
(<a href="http://ci.openstack.org/openstackid/oauth2.html#token-introspection" target="_blank">http://ci.openstack.org/openstackid/oauth2.html#token-introspection</a>).<br>
<br>
Thoughts?<br>
<br>
Thanks,<br>
Jimmy<br>
<br>
<br>
<br>
Sergey Slypushenko wrote:
<blockquote type="cite">
<div dir="ltr">Jimmy,<br><br>Thank you for your comment! That diagram
was kind of outdated. I have updated it already.<div> </div><div>We are
planning to use OpenID for authentication and we have been already
working on it.<br><br>Regards,<br>Sergey<br><div><br></div><div><br></div></div></div>
<div class="gmail_extra"><br><div class="gmail_quote"><span>On Mon, Apr 20,
2015 at 6:30 PM, Jimmy McArthur <span dir="ltr"><<a href="mailto:jimmy@tipit.net" target="_blank">jimmy@tipit.net</a>></span>
wrote:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span>Sergey,<div><br></div><div>The
biggest thing that stands out is the lack of authentication through
OpenID. It appears that you're still authenticating through oAuth2,
which is against security best practices and not how OpenStackID is
designed. For a primer on the difference and why it's set up this way: <a href="http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/" target="_blank">http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauth-authentication-and-openid/</a>
(forgive the title, but it does a nice job of illustrating the issue)</div><div><br></div><div>I'm
adding Sebastian here to chime in on potential technical details and
the possibility of setting up your own resource server. The important
thing though is to follow the steps outlined in the OpenStackID
documentation for proper authentication.</div><div><br></div></span><div class="gmail_extra"><span><div><div><div dir="ltr">--<br><div style="color:rgb(136,136,136);margin-right:24px"><span style="color:rgb(0,0,0)">Jimmy McArthur / </span><a style="color:rgb(0,0,0)" href="http://Tipit.net" target="_blank">Tipit.net</a><span style="color:rgb(0,0,0)"> < </span><a style="color:rgb(0,0,0)" href="mailto:jimmy@tipit.net" target="_blank">jimmy@tipit.net</a><span style="color:rgb(0,0,0)">></span><br><a href="tel:512.965.4846" value="+15129654846" target="_blank">512.965.4846</a>
<div><br></div></div></div></div></div>
<br></span><div class="gmail_quote"><span><div><div>On Thu, Apr 16, 2015
at 4:49 AM, Sergey Slypushenko <span dir="ltr"><<a href="mailto:sslypushenko@mirantis.com" target="_blank">sslypushenko@mirantis.com</a>></span> wrote:<br></div></div></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div><div><div dir="ltr">Here you can
find slides with general user stories: <div><ul><li>create user account</li><li>access
to resource required user auth in Web UI<br></li><li>access to resource
required user auth in CLI client</li></ul><div><a href="https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0" target="_blank">https://docs.google.com/presentation/d/1v7exKKL1zSA102Xu8FkY1u9rMVUE6BjwUCoWGYYvbaI/edit#slide=id.g9870fa983_0_0</a><br></div></div><div><br></div><div>Any
comments related to this topic will be very appreciated.</div><div><br></div><div><div style="font-size:12.8000001907349px">Regards,</div><div style="font-size:12.8000001907349px">Sergey Slipushenko,</div><div style="font-size:12.8000001907349px"><br></div><div style="font-size:12.8000001907349px">Software Developer,</div><div style="font-size:12.8000001907349px">Kharkiv, Ukraine,</div><div style="font-size:12.8000001907349px">Mirantis Inc.</div></div><div><br></div></div>
<br></div></div></div></div><span>_______________________________________________<br>
OpenStack-Infra mailing list<br>
<a href="mailto:OpenStack-Infra@lists.openstack.org" target="_blank">OpenStack-Infra@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra</a><br>
<br></span></blockquote></div><br></div></div></blockquote></div><br></div>
</blockquote>
</div>
<br>_______________________________________________<br>
OpenStack-Infra mailing list<br>
<a href="mailto:OpenStack-Infra@lists.openstack.org" target="_blank">OpenStack-Infra@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>