Re: [OAUTH-WG] redirect uri validation
Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 14 September 2011 14:26 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66B6521F8B9D for <oauth@ietfa.amsl.com>; Wed, 14 Sep 2011 07:26:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_102=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mSO7n4vhWTWf for <oauth@ietfa.amsl.com>; Wed, 14 Sep 2011 07:26:29 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.101]) by ietfa.amsl.com (Postfix) with ESMTP id 65FD521F8B64 for <oauth@ietf.org>; Wed, 14 Sep 2011 07:26:29 -0700 (PDT)
Received: from [80.67.16.112] (helo=webmail.df.eu) by smtprelay06.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1R3qS3-00068c-U1; Wed, 14 Sep 2011 16:28:35 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Wed, 14 Sep 2011 16:28:35 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: Eran Hammer-Lahav <eran@hueniverse.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234518A4F23D2@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <fcffd9492cbaced09c93f4e3c37b569f@lodderstedt-online.de> <90C41DD21FB7C64BB94121FBBC2E72345021F37877@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E2DAAEA.7090304@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E7234502498CDD7@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E498313.3080009@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E7234518A4F23D2@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Message-ID: <47afa9b25ff9b1ceb506b723c2bbe95e@lodderstedt-online.de>
X-Sender: torsten@lodderstedt.net
User-Agent: Roundcube Webmail/0.5.2
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: oauth@ietf.org, eran@sled.com
Subject: Re: [OAUTH-WG] redirect uri validation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2011 14:26:31 -0000
ok with me. On Sun, 4 Sep 2011 15:13:01 -0700, Eran Hammer-Lahav wrote: > That's not complete. A valid redirection URI is not enough to verify > client identity at the time it is presented, but it is enough in many > cases to prevent leaking credentials later on. > > How about a slight change: > > A valid redirection URI is not sufficient to verify the > client's identity when asking for > end-user authorization, but can be used to prevent > delivering credentials to a > counterfeit client after obtaining end-user authorization. > > EHL > >> -----Original Message----- >> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net] >> Sent: Monday, August 15, 2011 1:36 PM >> To: Eran Hammer-Lahav >> Cc: eran@sled.com; oauth@ietf.org >> Subject: Re: [OAUTH-WG] redirect uri validation >> >> Hi Eran, >> >> Am 15.08.2011 08:57, schrieb Eran Hammer-Lahav: >> > Added to 1.4.2: >> > >> > When issuing an implicit grant, the authorization >> server does not >> authenticate the >> > client and [[in some cases]], the client identity >> [[can]] be verified via >> the redirection URI >> > used to deliver the access token to the client. The >> access token may >> be exposed to the >> > resource owner or other applications with access to >> the resource >> owner's user-agent. >> > >> > Hope this is sufficient. >> >> What do you want to express? Clients can sometimes be verified via >> redirection URI? >> >> My intention was to point out that an invalid redirect URI is a >> counter- >> evidence for a client's identity but a valid redirect URI is _not_ >> an evidence >> for its identity. >> >> I would suggest to add the text below to section 10.1., last >> paragraph after >> the sentence >> >> "For >> example, by requiring the registration of the client redirection >> URI >> or enlisting the resource owner to confirm identity." >> >> proposed text: >> >> Please note: while an invalid redirection URI indicates a >> counterfeit client, a >> valid redirection URI is not sufficient to confirm a client's >> identity. >> >> regards, >> Torsten. >> >> >> > >> > EHL >> > >> >> -----Original Message----- >> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On >> >> Behalf Of Eran Hammer-Lahav >> >> Sent: Sunday, August 14, 2011 11:09 PM >> >> To: Torsten Lodderstedt >> >> Cc: torsten@lodderstedt-online.de; oauth@ietf.org >> >> Subject: Re: [OAUTH-WG] redirect uri validation >> >> >> >> Where would you suggest I add this? >> >> >> >> EHL >> >> >> >>> -----Original Message----- >> >>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net] >> >>> Sent: Monday, July 25, 2011 10:42 AM >> >>> To: Eran Hammer-Lahav >> >>> Cc: torsten@lodderstedt-online.de; oauth@ietf.org >> >>> Subject: Re: [OAUTH-WG] redirect uri validation >> >>> >> >>> Hi Eran, >> >>> >> >>>>>> OAuth 1.0 was highly criticized for failing to address client >> >>>>>> identity in public clients. I believe OAuth 2.0 offers a much >> >>>>>> better story, within the boundaries>of what’s possible today. >> >>>>> Agreed. I think we must honestly discuss the value of client >> >>>>> authentication/identification itself. I personally think it is >> >>>>> over-emphazised right now. The strength of OAuth 2.0 is that >> it >> >>>>> allows solutions where neither client nor resource server have >> >>>>> access or >> >>> do store end-user credentials. >> >>>>> Client authentication is nice but not the main feature. >> >>>> Do you have any specific suggestions not already mentioned on >> the >> list? >> >>> I would suggest to mention that while an invalid redirect_uri >> >>> indicates a counterfeit clients a valid redirect does not prove >> the >> >>> calling >> >> client's identity. >> >>> regards, >> >>> Torsten. >> >>> >> >>> >> >>>> EHL >> >>>> >> >>>> _______________________________________________ >> >>>> OAuth mailing list >> >>>> OAuth@ietf.org >> >>>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> >> OAuth mailing list >> >> OAuth@ietf.org >> >> https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] redirect uri validation (was: Issu… Eran Hammer-Lahav
- Re: [OAUTH-WG] redirect uri validation Torsten Lodderstedt
- Re: [OAUTH-WG] redirect uri validation Eran Hammer-Lahav
- Re: [OAUTH-WG] redirect uri validation Eran Hammer-Lahav
- Re: [OAUTH-WG] redirect uri validation Torsten Lodderstedt
- Re: [OAUTH-WG] redirect uri validation Eran Hammer-Lahav
- Re: [OAUTH-WG] redirect uri validation Torsten Lodderstedt