IETF Logo Mail Archive

Re: [OAUTH-WG] redirect uri and portals

Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in> Tue, 07 March 2023 09:43 UTC

Return-Path: <jaimandeep.phdcs21@nfsu.ac.in>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1768C14CE4D for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2023 01:43:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.083
X-Spam-Level:
X-Spam-Status: No, score=-2.083 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nfsu.ac.in
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zmzZ8UERbCPl for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2023 01:42:57 -0800 (PST)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1222FC14CE51 for <oauth@ietf.org>; Tue, 7 Mar 2023 01:42:50 -0800 (PST)
Received: by mail-lj1-x231.google.com with SMTP id h9so12538667ljq.2 for <oauth@ietf.org>; Tue, 07 Mar 2023 01:42:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nfsu.ac.in; s=google; t=1678182169; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=m/OLiXzd7Y9liG5e+1TBzB/ogyK3EQzTDzuyACfgnzY=; b=WnUUPgmktVBr+02HUh99KOjR1/MLvBClePOhH+lRiecJRmA+mxuzPR3Tt0XRTDlyCN Ja8nEOEaaEDbKCh/NLmnjFpXnDvVGJfRH5PzsxiJdcorLkLlAftgy15BUBOU/41Y4xtJ t0NQTwjJkVhZh2miFWEvkiTgAmbys6CMkWmzw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678182169; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=m/OLiXzd7Y9liG5e+1TBzB/ogyK3EQzTDzuyACfgnzY=; b=tvRzyagqIq13A/UoZ26oStcz4XCvHR5NvSv4RmEJ0DvKaxSw3nEWQDcIeQ35cA7mAc QcYHs+t5EtxLkum+nFfbCVj68v6p10Pb9ZJl8P0C3mIlnCHfcffVclOE+2jWSk5UwHH3 UI5uO+K7zoHQC55QYeU7btG6EIbvi+Y2DCSwgslhgpgCZHL2gpodyHKFqc1YkpK7CcC2 X5XU8Wcr3cAgRAF5RdKkcOUONkggsOTCej3a+IKb2ckDNdzihT3YbIF4VlGDtj4sVCk5 biWUld7WywfrhzmTcSOESJaFCtdTKCtcX/O8IjNDTNEdCDMDBY0jkveHirGYZhcpAfvy AVXw==
X-Gm-Message-State: AO0yUKU/FMNHp2yF8q+j35K6E7VWbHbClwcYuebstq0R07dD3r0Ve3tB NlBKOZfT/xFDpCTJuf0Z3N9P9lAUGy5bgMorRo4n8A==
X-Google-Smtp-Source: AK7set82ziKC5kPB+m3k3XHf1t6JKKrbxINTFQrYCBXxGbItnwapktG+YhM5Z/hgrzuSASHa7jOMfbd9k36R1R4Ugjs=
X-Received: by 2002:a05:651c:3c6:b0:295:8ef2:874a with SMTP id f6-20020a05651c03c600b002958ef2874amr4127611ljp.0.1678182169057; Tue, 07 Mar 2023 01:42:49 -0800 (PST)
MIME-Version: 1.0
References: <CALNQ_jKjTQt+6YaJBXTPJNv-LkvpPxdeJ7w_1jBinBfa6H5M7Q@mail.gmail.com> <CAEFJvapugLJ_b0wNjQrC=1i+WnhZdAjdyECVE4hUuMBBRrWYbw@mail.gmail.com> <CALNQ_jJL17KMTJeam2z72wTyFkA8JaMGtgjftyqgNH3jqgRf-Q@mail.gmail.com> <CAGBSGjosL7pK8_EKYUDg4FbQRdi9m2NiA6meAhDHRsWtODFK0g@mail.gmail.com> <CALNQ_j+sc8gWEk-Z+v2dFoVY5MuzvaYL7b7Mz0Y93tioDZGepA@mail.gmail.com> <CADom2f1Z22cHrkdsh2o9yRDY-6_qMhDT-YL7Mh40yVocbsJffg@mail.gmail.com> <CALNQ_jKYmETH=1hZU_A__-KdyiT3-6e3f+2fvtBEiVsTRx2MYw@mail.gmail.com>
In-Reply-To: <CALNQ_jKYmETH=1hZU_A__-KdyiT3-6e3f+2fvtBEiVsTRx2MYw@mail.gmail.com>
From: Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in>
Date: Tue, 07 Mar 2023 15:12:37 +0530
Message-ID: <CAODMz5FLfyV4i1GcGLiWV5vuukJfWHxrXWGXSF4fgpFL+uOsFQ@mail.gmail.com>
To: Yannick Majoros <yannick@valuya.be>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000e2b0d05f64c3cf5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-S-iXZ67JMiRXOXlKQ0Bebrii7o>
Subject: Re: [OAUTH-WG] redirect uri and portals
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2023 09:43:02 -0000

Dear Yannick,

1. You have brought out a very valid design issue. I think it is a
good design imperative to land back on the same webpage from where we
started the oauth process. While there are various ways to handle this
problem at the application level, why should we do the same in custom
ways,  when we have specifications that can provide a standardized way.
Therefore, I suggest that we incorporate this requirement as a design goal
for the specification.

2. Once we have agreed that it is a valid design goal, we can discuss ways
to handle the same such as:

(a) The client includes redirect_uri in the request which currently has no
practical use. However, it can be utilized to store information about the
current page where the client is engaged. We can compare the domain of the
`request_uri` with the `registered_uri` at auth server (non-standard
terminology is used here for ease of comprehension) and then redirect the
page back to `request_uri`, if it meets the specified criteria such as same
domain as that of `registered_uri`. Additionally, we can incorporate other
fields at the time of client application registration with the
authorization server such as `strict` and `lax` similar to those used in
same-site cookie management  [draft-rfc referred here
<https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-11.html#name-same-site-and-cross-site-re>].
The `strict` setting can enable strict domain checking, whereas the `lax`
setting can allow subdomains. This will at least address the routing
problem.

(b) Alternatively, we can move client application authentication before
starting the user interaction as already mentioned in the PAR
specification. And also suggested here
<https://www.researchgate.net/publication/367557833_Unified_Singular_Protocol_Flow_for_OAuth_USPFO_Ecosystem>
.

These can be considered for discussion in the upcoming IETF.

Regards
Jaimandeep Singh

On Tue, Mar 7, 2023 at 4:04 AM Yannick Majoros <yannick@valuya.be> wrote:

> Hi Rodrigo,
>
> Thanks for the link. I'm already familiar with that document, but maybe
> you can point me to some part that I missed.
>
> My questions are:
> - In a context where all redirect URIs are under our control, how is
> passing state and validating it back after login better, from a security
> point of view, than validating redirect uri in the routing implementation
> of the application? Both sound equally secure to me, though redirect_uri
> seems much easier to implement.
> - How can I implement that use case easily: after login, redirecting the
> user back to the originally requested page, including parameters? Is that
> somehow covered in the document you provided, or somewhere else?
> - And regarding that document, isn't 4.1.1 easily mitigated by PKCE anyway?
>
> I'm currently under the impression that this is a very common and
> legitimate use case, but that it is somehow underspecified and that
> everyone is reimplementing a variant of state passing + custom redirection
> after login. I'm failing to understand how such an implementation, besides
> being non-standard anyway, would be better than redirect URI patterns, in a
> controlled context. More thoughts on that?
>
> Thanks,
>
> Yannick
>
> Le lun. 6 mars 2023, 22:08, Rodrigo Speller <rspeller@primosti.com.br> a
> écrit :
>
>> Hi Yannick,
>>
>> There is a work-in-progress draft that touches many threats and best
>> practices when implementing OAuth 2 [
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/21/].
>> I recommend that you read entire document, but, especially, about your
>> questions, you may understand the threats about wildcards URL validation in
>> section 4.1.1.
>>
>> This document also addresses some state threats and best practices.
>>
>> Rodrigo Speller
>>
>>
>> Em seg., 6 de mar. de 2023 às 17:06, Yannick Majoros <yannick@valuya.be>
>> escreveu:
>>
>>> Hey Aaron,
>>>
>>> Sure, this is some kind of open redirector. I had a similar example with
>>> Uber. Still, those examples involve integrations with 3rd party
>>> applications. It also seems to me that they either imply implicit flow, or
>>> an authorization code not protected by PKCE. Aren't we mitigating these use
>>> cases anyway?
>>>
>>> So, I'm wondering:
>>> - How should I implement a redirection to the page which was requested
>>> before login (which optionally takes parameters)? I understand I can use
>>> some persisted state for that, but what then? Should the portal or company
>>> web site know about all application URLs underneath it, with all their
>>> parameters, to be able to validate them against a list?
>>> - How is that better, from a security point of view, than having a
>>> redirect to our domain, with a wildcard, making all applications that need
>>> some form of routing to validate their URLs?
>>>
>>>
>>>
>>> Le lun. 6 mars 2023 à 20:38, Aaron Parecki <aaron@parecki.com> a écrit :
>>>
>>>> There is no situation in which supporting arbitrary redirects (whether
>>>> from the OAuth redirect URI or within your own app) is a good idea.
>>>>
>>>> This is known as an Open Redirector, and is the basis of many attacks
>>>> on OAuth as well as other things unrelated to OAuth. OWASP has a cheat
>>>> sheet about this as well:
>>>>
>>>> https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
>>>>
>>>> There was an example published just last week of combining a wildcard
>>>> redirect_uri with another open redirector to accomplish an account
>>>> takeover. It's worth reading the writeup if you're curious about the
>>>> implications of wildcard redirects within and outside of OAuth.
>>>>
>>>>
>>>> https://salt.security/blog/traveling-with-oauth-account-takeover-on-booking-com
>>>>
>>>> Aaron
>>>>
>>>> On Mon, Mar 6, 2023 at 11:31 AM Yannick Majoros <yannick@valuya.be>
>>>> wrote:
>>>>
>>>>> Thanks for your input.
>>>>>
>>>>> All of that would be quite common indeed, but in what way is it
>>>>> better, from a security perspective, than redirect URIs with wildcards?
>>>>>
>>>>> Yannick
>>>>>
>>>>> Le lun. 6 mars 2023 à 18:28, Vittorio Bertocci <vittorio@auth0.com> a
>>>>> écrit :
>>>>>
>>>>>> In my experience the most common solution, adopted by many SDKs, is
>>>>>> based on 2.
>>>>>> Where you redirect after you concluded the token acquisition ceremony
>>>>>> is a private consideration for your app, that shouldn’t interfere with how
>>>>>> the client is registered. Oauth offers you the chance to store and retrieve
>>>>>> state, you can use that to save the initial requested URL and redirect to
>>>>>> it after the fact. If you are concerned with injections, you can always
>>>>>> sign/encryp the state to protect it from tampering.
>>>>>> All of the above is mainstream, you can observe the traffic from
>>>>>> popular SDKs to see how that works.
>>>>>> HTH
>>>>>> V.
>>>>>>
>>>>>> On Mon, Mar 6, 2023 at 09:12 Yannick Majoros <yannick@valuya.be>
>>>>>> wrote:
>>>>>>
>>>>>>> *This message originated outside your organization.*
>>>>>>>
>>>>>>> ------------------------------
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> From my understanding, OAuth 2 as well as 2.1 do not allow for
>>>>>>> wildcards in redirect_uri . Now, a common requirement for a portal or
>>>>>>> company-wide website, where multiple applications are deployed, is to be
>>>>>>> able to login and come back to the page from which the login was triggered.
>>>>>>>
>>>>>>> How can this be achieved securely with OAuth?
>>>>>>>
>>>>>>> Some options:
>>>>>>> 1) passing a parameter, say *callback_uri*, around from auth
>>>>>>> request back to redirect from auth server.
>>>>>>> 2) storing some state, e.g. in session storage, and redirect after
>>>>>>> login
>>>>>>> 3) violating the specifications and just use a redirect uri with a
>>>>>>> wildcard in the last part (some implementations, like keycloak, allow that)
>>>>>>>
>>>>>>> 1) and 2) are kind of similar IMO: the application has to validate
>>>>>>> whatever context comes and redirect to the right page, akin to deep linking
>>>>>>> But then, outside of some extra validation, I'd prefer to have a
>>>>>>> standard mechanism (less bypassing the restrictions) as redirect uri than
>>>>>>> to reinvent the wheel for each application, which is what that kind of
>>>>>>> callback url does. Also, I'm not sure why that extra validation would
>>>>>>> improve things in practice: if there is a vulnerability in the application
>>>>>>> routing code leading to some vulnerable redirect, wouldn't it just be
>>>>>>> duplicated in that validation step?
>>>>>>>
>>>>>>> So, I'm tempted to go for 3, knowing we would have those mitigations:
>>>>>>> - checking at authorization server whether the redirect is to the
>>>>>>> same uri the request originally came from
>>>>>>> - PKCE will restrict reuse of the authorization code anyway
>>>>>>>
>>>>>>> What are your thoughts on how to implement that quite common feature?
>>>>>>>
>>>>>>> Best regards,
>>>>>>> --
>>>>>>> Yannick Majoros
>>>>>>> Valuya sprl
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Yannick Majoros
>>>>> Valuya sprl
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>
>>>
>>> --
>>> Yannick Majoros
>>> Valuya sprl
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Regards and Best Wishes
Jaimandeep Singh
LinkedIn <http://www.linkedin.com/in/jaimandeep-singh-07834b1b7>

v2.23.0 | Report a Bug | By Email