IETF Logo Mail Archive

Re: [OAUTH-WG] redirect uri validation

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 14 September 2011 14:26 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66B6521F8B9D for <oauth@ietfa.amsl.com>; Wed, 14 Sep 2011 07:26:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_102=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mSO7n4vhWTWf for <oauth@ietfa.amsl.com>; Wed, 14 Sep 2011 07:26:29 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.101]) by ietfa.amsl.com (Postfix) with ESMTP id 65FD521F8B64 for <oauth@ietf.org>; Wed, 14 Sep 2011 07:26:29 -0700 (PDT)
Received: from [80.67.16.112] (helo=webmail.df.eu) by smtprelay06.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1R3qS3-00068c-U1; Wed, 14 Sep 2011 16:28:35 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Wed, 14 Sep 2011 16:28:35 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: Eran Hammer-Lahav <eran@hueniverse.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234518A4F23D2@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <fcffd9492cbaced09c93f4e3c37b569f@lodderstedt-online.de> <90C41DD21FB7C64BB94121FBBC2E72345021F37877@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E2DAAEA.7090304@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E7234502498CDD7@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E498313.3080009@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E7234518A4F23D2@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Message-ID: <47afa9b25ff9b1ceb506b723c2bbe95e@lodderstedt-online.de>
X-Sender: torsten@lodderstedt.net
User-Agent: Roundcube Webmail/0.5.2
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: oauth@ietf.org, eran@sled.com
Subject: Re: [OAUTH-WG] redirect uri validation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2011 14:26:31 -0000

ok with me.

On Sun, 4 Sep 2011 15:13:01 -0700, Eran Hammer-Lahav wrote:
> That's not complete. A valid redirection URI is not enough to verify
> client identity at the time it is presented, but it is enough in many
> cases to prevent leaking credentials later on.
>
> How about a slight change:
>
>           A valid redirection URI is not sufficient to verify the
> client's identity when asking for
>           end-user authorization, but can be used to prevent
> delivering credentials to a
>           counterfeit client after obtaining end-user authorization.
>
> EHL
>
>> -----Original Message-----
>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
>> Sent: Monday, August 15, 2011 1:36 PM
>> To: Eran Hammer-Lahav
>> Cc: eran@sled.com; oauth@ietf.org
>> Subject: Re: [OAUTH-WG] redirect uri validation
>>
>> Hi Eran,
>>
>> Am 15.08.2011 08:57, schrieb Eran Hammer-Lahav:
>> > Added to 1.4.2:
>> >
>> >              When issuing an implicit grant, the authorization 
>> server does not
>> authenticate the
>> >              client and [[in some cases]], the client identity 
>> [[can]] be verified via
>> the redirection URI
>> >              used to deliver the access token to the client. The 
>> access token may
>> be exposed to the
>> >              resource owner or other applications with access to 
>> the resource
>> owner's user-agent.
>> >
>> > Hope this is sufficient.
>>
>> What do you want to express? Clients can sometimes be verified via
>> redirection URI?
>>
>> My intention was to point out that an invalid redirect URI is a 
>> counter-
>> evidence for a client's identity but a valid redirect URI is _not_ 
>> an evidence
>> for its identity.
>>
>> I would suggest to add the text below to section 10.1., last 
>> paragraph after
>> the sentence
>>
>> "For
>>     example, by requiring the registration of the client redirection 
>> URI
>>     or enlisting the resource owner to confirm identity."
>>
>> proposed text:
>>
>> Please note: while an invalid redirection URI indicates a 
>> counterfeit client, a
>> valid redirection URI is not sufficient to confirm a client's 
>> identity.
>>
>> regards,
>> Torsten.
>>
>>
>> >
>> > EHL
>> >
>> >> -----Original Message-----
>> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>> >> Behalf Of Eran Hammer-Lahav
>> >> Sent: Sunday, August 14, 2011 11:09 PM
>> >> To: Torsten Lodderstedt
>> >> Cc: torsten@lodderstedt-online.de; oauth@ietf.org
>> >> Subject: Re: [OAUTH-WG] redirect uri validation
>> >>
>> >> Where would you suggest I add this?
>> >>
>> >> EHL
>> >>
>> >>> -----Original Message-----
>> >>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
>> >>> Sent: Monday, July 25, 2011 10:42 AM
>> >>> To: Eran Hammer-Lahav
>> >>> Cc: torsten@lodderstedt-online.de; oauth@ietf.org
>> >>> Subject: Re: [OAUTH-WG] redirect uri validation
>> >>>
>> >>> Hi Eran,
>> >>>
>> >>>>>> OAuth 1.0 was highly criticized for failing to address client
>> >>>>>> identity in public clients. I believe OAuth 2.0 offers a much
>> >>>>>> better story, within the boundaries>of what’s possible today.
>> >>>>> Agreed. I think we must honestly discuss the value of client
>> >>>>> authentication/identification itself. I personally think it is
>> >>>>> over-emphazised right now. The strength of OAuth 2.0 is that 
>> it
>> >>>>> allows solutions where neither client nor resource server have
>> >>>>> access or
>> >>> do store end-user credentials.
>> >>>>> Client authentication is nice but not the main feature.
>> >>>> Do you have any specific suggestions not already mentioned on 
>> the
>> list?
>> >>> I would suggest to mention that while an invalid redirect_uri
>> >>> indicates a counterfeit clients a valid redirect does not prove 
>> the
>> >>> calling
>> >> client's identity.
>> >>> regards,
>> >>> Torsten.
>> >>>
>> >>>
>> >>>> EHL
>> >>>>
>> >>>> _______________________________________________
>> >>>> OAuth mailing list
>> >>>> OAuth@ietf.org
>> >>>> https://www.ietf.org/mailman/listinfo/oauth
>> >> _______________________________________________
>> >> OAuth mailing list
>> >> OAuth@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email