Re: [OAUTH-WG] redircet_uri matching algorithm
Mike Jones <Michael.Jones@microsoft.com> Thu, 21 May 2015 19:29 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E28B1A889D for <oauth@ietfa.amsl.com>; Thu, 21 May 2015 12:29:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rgQpYX57U5O9 for <oauth@ietfa.amsl.com>; Thu, 21 May 2015 12:29:53 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0143.outbound.protection.outlook.com [65.55.169.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD17E1A890F for <oauth@ietf.org>; Thu, 21 May 2015 12:29:30 -0700 (PDT)
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.172.17; Thu, 21 May 2015 19:29:28 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0172.012; Thu, 21 May 2015 19:29:28 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Antonio Sanso <asanso@adobe.com>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] redircet_uri matching algorithm
Thread-Index: AQHQkxZHIejCyvza/Eyad4viMNJG1J2Ft1+AgABVjACAAMWF8A==
Date: Thu, 21 May 2015 19:29:27 +0000
Message-ID: <BY2PR03MB4423D6CD3799CEB1F321DB8F5C10@BY2PR03MB442.namprd03.prod.outlook.com>
References: <46886BA8-B8E1-494F-9F5D-4DB6AE0BEB99@paroga.com> <12863D78-C7CC-4E71-B4F6-09556B8E4F2B@ve7jtb.com> <C92B190E-A25F-4552-8768-DD43C9F0D0C7@adobe.com>
In-Reply-To: <C92B190E-A25F-4552-8768-DD43C9F0D0C7@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:4898:80e0:ee43::4]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 3:Pmuuy+8YdmG+YbCmVptEd3MAYZ/XRDhL20NwBOmUDcSoWvAJTuEtlfGq2EoK6M+mNT76pQ/qguTzQ1mOksNAn+aDnD7/yQcIu9BmYUcvlQ+ZXfUtGWdUSIBWPWhMLtMFvbM6o4oLifMPcy92gMFlIw==; 10:mITQpcs/Fb1zNXNvwLU1yauYh0r6YUxzwwIZlwej7dWRQTG+XDPwUW43Ihr7Fnzwr8wcVmr+8ShSnGEm4R1yYSAdQSrO7+tdpGtoXFOzRho=; 6:SjZgVHwmsOA2RW0iGkEVmi444RuWGhFqw9QUZeRoVakMwLOkFVpaygul0wj4uPib
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441;
x-microsoft-antispam-prvs: <BY2PR03MB4413F1AA63271DE1449AD85F5C10@BY2PR03MB441.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 0583A86C08
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(24454002)(199003)(377454003)(51704005)(189002)(106356001)(102836002)(15975445007)(86362001)(122556002)(64706001)(106116001)(1720100001)(68736005)(77096005)(62966003)(77156002)(40100003)(76176999)(54356999)(15395725005)(50986999)(86612001)(5001770100001)(189998001)(5001960100002)(5001860100001)(5001830100001)(19580405001)(46102003)(19580395003)(99286002)(105586002)(97736004)(2656002)(81156007)(74316001)(33656002)(101416001)(87936001)(92566002)(4001540100001)(76576001)(2950100001)(2900100001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 May 2015 19:29:28.0510 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/3JGwQQuCQ2y1NKlmGVVFHw-Z30M>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] redircet_uri matching algorithm
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 19:29:55 -0000
+1 I vehemently concur that that working group should stay completely clear of facilitating this insecure practice. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Antonio Sanso Sent: Thursday, May 21, 2015 12:41 AM To: John Bradley Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] redircet_uri matching algorithm On May 21, 2015, at 4:35 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > I think the correct answer is that clients should always assume exact redirect_uri matching, and servers should always enforce it. > > Anything else is asking for trouble. FWIW I completely agree with John here... regards antonio > > If clients need to maintain some state the correct thing to do is use the state parameter, and not append extra path or query elements to there redirect_uri. > > A significant number of security problems in the wild come from servers not enforcing this. > > I may be taking an excessively hard line, but partial matching is not something we should be encouraging by making easier. > > I did do a draft on a way to safely use state https://tools.ietf.org/id/draft-bradley-oauth-jwt-encoded-state-04.txt > > John B. > > >> On May 16, 2015, at 4:43 AM, Patrick Gansterer <paroga@paroga.com> wrote: >> >> "OAuth 2.0 Dynamic Client Registration Protocol" [1] is nearly finished and provides the possibility to register additional "Client Metadata". >> >> OAuth 2.0 does not define any matching algorithm for the redirect_uris. The latest information on that topic I could find is [1], which is 5 years old. Is there any more recent discussion about it? >> >> I'd suggest to add an OPTIONAL "redirect_uris_matching_method" client metadata. Possible valid values could be: >> * "exact": The "redirect_uri" provided in a redirect-based flow must match exactly one of of the provided strings in the "redirect_uris" array. >> * "prefix": The "redirect_uri" must begin with one of the "redirect_uris". (e.g. "http://example.com/path/subpath" would be valid with ["http://example.com/path/", "http://example.com/otherpath/"]) >> * "regex": The provided "redirect_uris" are threatened as regular expressions, which the "redirect_uri" will be matched against. (e.g. "http://subdomain.example.com/path5/" would be valid with ["^http:\\/\\/[a-z]+\\.example\\.com\\/path\\d+\\/"] >> >> If not defined the server can choose any supported method, so we do not break existing implementations. On the other side it allows an client to make sure that a server supports a specific matching algorithm required by the client. ATM a client has no possibility to know how a server handles the redirect_uris. >> >> [1] http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-29 >> [2] http://www.ietf.org/mail-archive/web/oauth/current/msg02617.html >> >> -- >> Patrick Gansterer >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] redircet_uri matching algorithm Patrick Gansterer
- Re: [OAUTH-WG] redircet_uri matching algorithm David Waite
- Re: [OAUTH-WG] redircet_uri matching algorithm Bill Burke
- Re: [OAUTH-WG] redircet_uri matching algorithm Justin Richer
- Re: [OAUTH-WG] redircet_uri matching algorithm John Bradley
- Re: [OAUTH-WG] redircet_uri matching algorithm Antonio Sanso
- Re: [OAUTH-WG] redircet_uri matching algorithm Mike Jones
- Re: [OAUTH-WG] redircet_uri matching algorithm Bill Mills
- Re: [OAUTH-WG] redircet_uri matching algorithm Pedro Igor Silva
- Re: [OAUTH-WG] redircet_uri matching algorithm Donald F. Coffin
- Re: [OAUTH-WG] redircet_uri matching algorithm Patrick Gansterer