IETF Logo Mail Archive

Re: [OAUTH-WG] redirect uri validation (was: Issue 15, new client registration)

Eran Hammer-Lahav <eran@hueniverse.com> Sun, 24 July 2011 07:46 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C44721F857E for <oauth@ietfa.amsl.com>; Sun, 24 Jul 2011 00:46:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.561
X-Spam-Level:
X-Spam-Status: No, score=-2.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jY8glK5Pu8Hu for <oauth@ietfa.amsl.com>; Sun, 24 Jul 2011 00:46:36 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id ACEDD21F855C for <oauth@ietf.org>; Sun, 24 Jul 2011 00:46:36 -0700 (PDT)
Received: (qmail 25400 invoked from network); 24 Jul 2011 07:46:35 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 24 Jul 2011 07:46:35 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Sun, 24 Jul 2011 00:46:35 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "torsten@lodderstedt-online.de" <torsten@lodderstedt-online.de>, "oauth@ietf.org" <oauth@ietf.org>
Date: Sun, 24 Jul 2011 00:46:00 -0700
Thread-Topic: redirect uri validation (was: Issue 15, new client registration)
Thread-Index: AcxJ1GNeyN7w8RgFTGid1flnGAwt1gAALuBg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72345021F37877@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <fcffd9492cbaced09c93f4e3c37b569f@lodderstedt-online.de>
In-Reply-To: <fcffd9492cbaced09c93f4e3c37b569f@lodderstedt-online.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] redirect uri validation (was: Issue 15, new client registration)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jul 2011 07:46:37 -0000


> -----Original Message-----
> From: torsten@lodderstedt-online.de [mailto:torsten@lodderstedt-
> online.de]
> Sent: Sunday, July 24, 2011 12:36 AM
> To: Eran Hammer-Lahav; oauth@ietf.org
> Subject: redirect uri validation (was: Issue 15, new client registration)
> 
> Hi Eran,
> 
> let's move the discussion regarding redirect uri validation into another threat.
> 
> >Personally, given the clear direction the web is taking where
> >applications are moving off hosted servers to mobile devices and
> >in-browser software, I believe >that focusing OAuth 2.0 ability to
> >identify a client based on a secret is counterproductive.
> 
> funny you mention this. I was advocating in favor of native apps support in
> OAuth 2 since I joined this group :-) And I'm not saying secrets should be
> used to authenticate those apps, I never suggested that.
> 
> >This is why my last rewrite put much more weight on the redirection
> >URI and clarifying registration requirements.
> 
> I think redirect uri validation is especially ineffective for this client category.

It’s a big category. Hosted JS clients with https:// registered redirection URI provide pretty strong identification.

> The authz server can check the redirect uri of such a client. But it can only
> detect those malicious clients which are using another URI than the pre-
> registrered uri (most probably web-based clients). Clients using the correct
> URI are not neccessarily the legitimate clients. Why?
> Because native apps will most likely use URLs with custom URI schemes
> which are used to re-activate the app on the device through the local
> browser. So there is not a single "endpoint" such a URI is pointing to, but this
> URI is resovled relative to every device. So a malicious app on one device can
> perfectly use the redirect URI a legitmate client uses on another device and it
> will still receive the authz result.

I agree. One of my OSCON OAuth 2.0 slide shows this flow with the comment "Registered custom scheme URI (custom://) provides weak client identification".

However, native apps are much harder to use for a social engineering attack (compared to web apps) because the user has to install something proactively. This means showing the user the logo of the expected client should raise a red flag when it doesn't match the application being executed.

> >OAuth 1.0 was highly criticized for failing to address client identity
> >in public clients. I believe OAuth 2.0 offers a much better story,
> >within the boundaries >of what’s possible today.
> 
> Agreed. I think we must honestly discuss the value of client
> authentication/identification itself. I personally think it is over-emphazised
> right now. The strength of OAuth 2.0 is that it allows solutions where neither
> client nor resource server have access or do store end-user credentials.
> Client authentication is nice but not the main feature.

Do you have any specific suggestions not already mentioned on the list?

EHL

v2.23.0 | Report a Bug | By Email