How do I prevent spoofing in OAuth Echo scenarios?


#1

Having read over the OAuth Echo workflow here: https://dev.twitter.com/docs/auth/oauth/oauth-echo, I’m wondering what steps I, as a delegator, can take to ensure that I don’t honor “spoofed” requests?

That is, say a malicious consumer passes me an OAuth Echo request, but in the X-Auth-Service-Provider header, they point at some malicious service provider which returns a 200, and whatever other bad info I might otherwise trust? Obviously in the Twitter case, I won’t be able to turn around and perform actions against a user’s twitter account with a spoofed X-Verify-Credentials-Authorization, but that still leaves me in the lurch when trying to deal with issues on my own service. Like, if I’m TwitPic and actually store the image uploaded because I think the credentials I got were legitimate, which means I’m wasting storage space on a bad request?

I’m new to OAuth and OAuth Echo so if there’s something inherent in OAuth that prevents this, I’d appreciate some pointers on what I’m missing, just trying to learn the basics here.


#2

I recommend just some basic protections – if the only service that you want to offer OAuth Echo support for is Twitter, then consume the X-Auth-Service-Provider value, disassemble the URL, and validate the domain name is one on your whitelist of approved domains – in this case, twitter.com. It’s important not to require an absolute value for that field, as important parameters can be added to the request URI (especially in iOS5 scenarios). Additionally, you could validate that the path matches one you consider to be canonical for your purposes – like account/verify_credentials.json or .xml

At least with that protection, you’d only be servicing requests that concretely involve Twitter.


#3

That makes sense – a bolded section in the post I originally linked stated
"Please note that one should use the URL provided to them by X-Auth-Service-Provider to perform the look up…" so it seemed like the official recommendation was to just trust the URI provided in the X-Auth-Service-Provider header. Since I’m just starting to learn about OAuth I figured maybe there was some implied step in the overall request workflow I was missing. Thanks Taylor.


#4

Great! That doc is meant to serve a couple purposes – one is to document OAuth Echo as a thing (not necessarily with Twitter in mind) and then the more practical angle when working with Twitter… it’s a bit of a balancing act.