Re: [OAUTH-WG] redirect uri and portals
Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Tue, 07 March 2023 15:00 UTC
Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2FB4C1516EA for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2023 07:00:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hackmanit.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dEmTmaumHPvU for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2023 07:00:27 -0800 (PST)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EE92C14CF1D for <oauth@ietf.org>; Tue, 7 Mar 2023 07:00:27 -0800 (PST)
Received: by mail-wr1-x434.google.com with SMTP id q16so12432627wrw.2 for <oauth@ietf.org>; Tue, 07 Mar 2023 07:00:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit.de; s=google; t=1678201225; h=in-reply-to:autocrypt:from:references:cc:to:content-language :subject:user-agent:mime-version:date:message-id:from:to:cc:subject :date:message-id:reply-to; bh=iIF+MAYkGVJk9tN7D2Ym34SM9MqoMvE/bO/3Kd+rwXQ=; b=BtFEeS93WCT0PIwaZ5zTF95S7B5/L8oMbp9YWTjhq3c9aZdgYR9hIh7RfTNn3eNs3i h+2dKslTePgJe4APC8xwpPAmmKnENm5eAepY+kKz9OWtgvfYElEtXinJBMEfh93vXrXy Uce2nrpL82ynW2otyhfbDPTYpCcTo2lQ4EEeA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678201225; h=in-reply-to:autocrypt:from:references:cc:to:content-language :subject:user-agent:mime-version:date:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=iIF+MAYkGVJk9tN7D2Ym34SM9MqoMvE/bO/3Kd+rwXQ=; b=yBBpfBa4rJ2hnSweQZYabLaqhUe6DSSMtYyt54ubhcHUVLlk6vTYvu4/i+vd5I1tcT U8AHSSS2ha000+ZBOaYUYl60VMx8yUSSU7jw669lvqOXw64oGngFNtCWctM9N1nFO4H1 49Aj78SrqvK34qfC9VjuRZtXiho3LcbMUVSLPdJYS5t7COkkV6wtfg9gDMjjsTT0auhS wReZWC0IOniiamlqW0yfe0uhjom2P9dTQEvLeGNmiN37TVD+5GTmdru23c2i8V3DSPGl ETouiIYDgaue2wuQFY15xgqKg32nKso3Tb9Ig4vkZ5arwUZAo2HUHCZ4N5Q+CD4zadQ9 vvAQ==
X-Gm-Message-State: AO0yUKVUxjg1SuFeAZda8tjWEBHlbygv/EvAhg+es/b/2N6Kj7Uj80/s QtrqIdysrci0yWeIdQ+gfshWVA==
X-Google-Smtp-Source: AK7set8rCEIo8BScnf1Vk8jNAEpFMrqbiq8Fh60/99S4ldIRSCCkUtWBExxNvZsNAhSmUtIFYORGIQ==
X-Received: by 2002:adf:e485:0:b0:2c9:57a8:eeac with SMTP id i5-20020adfe485000000b002c957a8eeacmr10429373wrm.25.1678201224823; Tue, 07 Mar 2023 07:00:24 -0800 (PST)
Received: from [192.168.137.41] (ip-037-024-087-133.um08.pools.vodafone-ip.de. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id f10-20020a5d4dca000000b002c70bfe505esm12633872wru.82.2023.03.07.07.00.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Mar 2023 07:00:24 -0800 (PST)
Message-ID: <5d8d0833-c086-4934-446d-c316576552ba@hackmanit.de>
Date: Tue, 07 Mar 2023 16:00:27 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: Yannick Majoros <yannick@valuya.be>
Cc: OAuth WG <oauth@ietf.org>
References: <CALNQ_jKjTQt+6YaJBXTPJNv-LkvpPxdeJ7w_1jBinBfa6H5M7Q@mail.gmail.com> <CAEFJvapugLJ_b0wNjQrC=1i+WnhZdAjdyECVE4hUuMBBRrWYbw@mail.gmail.com> <CALNQ_jJL17KMTJeam2z72wTyFkA8JaMGtgjftyqgNH3jqgRf-Q@mail.gmail.com> <CAGBSGjosL7pK8_EKYUDg4FbQRdi9m2NiA6meAhDHRsWtODFK0g@mail.gmail.com> <CALNQ_j+sc8gWEk-Z+v2dFoVY5MuzvaYL7b7Mz0Y93tioDZGepA@mail.gmail.com> <CADom2f1Z22cHrkdsh2o9yRDY-6_qMhDT-YL7Mh40yVocbsJffg@mail.gmail.com> <CALNQ_jKYmETH=1hZU_A__-KdyiT3-6e3f+2fvtBEiVsTRx2MYw@mail.gmail.com> <29858dbc-1436-a4e2-8f79-79d4b257d8f4@hackmanit.de> <CALNQ_j+Cxk1-wh6pRzLpO1V6kZh66k0V47Na0AaSFcEV-Oa+8w@mail.gmail.com> <240b81c2-23dd-865e-1fd5-c02e1a51b137@gmx.net> <CALNQ_j+sO_si6_DCgGWpRU3NTeZa49QvfEDT6QMHZqd288VG3A@mail.gmail.com>
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Autocrypt: addr=karsten.meyerzuselhausen@hackmanit.de; keydata= xsFNBFh1IBMBEADV73c10lB7zeFy6/ezLFzOBp8z6Zy1zUyIrf6RoBk1GQWREcGEGeaL90Pj F5plZeASVJdsEYnYXdgcIPE0tlBq6al6OYoWtH/VbFPWEPLVhA3rL1iXVJveD3J40OzSYP8N G7bla3zQ2+TXOB3iDPPsHZUdHCLASkIIWQK6+fE1C2epAdPtnsLsb++1d080jfXXwgyUUh4y bimcy9Jg5oZ4QMwnSq3Y+x38PNb+nTgjDi1X/89/WsNd7Bdh4Zvw3CAuc/W58CFaDjb7liUD YRoAp6ysnjPKEUSnAnMpgaiXJc1gFoL+ahdKJ3D9XTn28NTjUrvOkVidsuKbyxnXP9I6BO6i 2jzjrH6TEAfIYMjZlYTyPZTt271SW5iAHYwvPZWlqQTBT2P/d4gHl0To5b4e+UXxjQgxqUyi QIcxh3Ris21Kx4lKQKDXYWiwNTZzx8AdqrcxCWfK+MRpFyk0B+4uDMm7Apm5ZWwDKN/JnVsJ yokkkrrHs/elRCUGtN9NyhJQf3VnE87862Pej8PVvQJr3uVnoNX2yieTvJZftIOBG1b9ta6Z BcYyn3un1rSn7lBPg+RSnPemposVorQpjGwT+Dhg13Bpv5q0JfSc//js/nB6A4iq5YssdtQ7 35QBWLLaF1oCxalvrQVDD4Sh06eAUQsga9xeE0yv7sxqdsozdwARAQABzUJLYXJzdGVuIE1l eWVyIHp1IFNlbGhhdXNlbiA8a2Fyc3Rlbi5tZXllcnp1c2VsaGF1c2VuQGhhY2ttYW5pdC5k ZT7CwX8EEwEIACkFAl/4WSsCGyMFCQ+L3RcHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK CRBFNcDn2xbxSKWlD/9BVhp53BFytM1EQ17x1TB76zFygZA33KZeQIWLkw/M8yWkuzgGTFJ8 Lx+kmC3xnk4WG6nIv4paU4y+K2+WlAQg3FR0CN0oHgb6gOSHu9ISDMdZm8Kzmie2hKSOG8wA 56oVhRYXElt3Oe22usywpcfCf8C1t0SjHkufUWgVFspaplKsEN6NwdSBLxQ0gzfEkl3RTfLV JEopw5MlLzKxM1EAbL0QZdORX6cIJI96BecnXA0fwlV2PmM+TSPUDzBFOneZBOdtgCduKVhG bVRDOtJ4LIEQFT7ZvlzYEaWueh8HNC6Y8wZKRaZ4cg8mXJuz+BizA8EEicubkqljKNlTuHB4 0l3R30m4w202U3XNDKmCsLGUVLfNet4mM3wLIw5sr9GUuDvz0+8J9eaAypqgU9NKfUHpecHC /AULjk7TK9hKq2o2mQCRiOOt4Ki6yeC068nQrE97eCS7/YikVHA7TXTchG82x4eqRpgyBonk uRwnuU3sGAty1+D1ehDFzTvGfh9GS8tncKgyAtj9acUIhYDW6yWesSX6B4OenXKnJhjbskAZ LFVegXWAPf1YT3ImCLBnhn8g7ZHwB/icyMaWCXURsO63beRhvAFjXNxKcL6f7gg8uW9z3GhR +Kcz2DRAWO6Xo8MBbed+Nc9z01jSNQBQa5SPnJaeBtfiUY+ZbmHfLs7BTQRYdSATARAAsp2V mr3N7iNND8+M/OyA/OwcDQ6utZh+m4TnKsOVdiNLGpu2U3/2Qg3yrbjic2dWx1CsS6VH2/oO 1e/a4FlxA93wFv/OZjiUjHtEvdIJeHWlCvWOUlMsqyGDc3Q75fNjFw6DGKkiOu9lZaBs6naS BmkvAMGjV5bNKLyIL5j7Im1pCdZ2lCjD7eVwR3RQQKobTmu916htX8g1cB9yFmquu37X+ZBl A4GLJi63Kw0L2r8i8iO1NqDLOfT8IeNkOroEm3SDAuEApGAubKLSPBJ1khQ7kDhpdfzSYKUF tiIHpGWVOImDjqf4JIcF7OIdRPQfFPlwoPnsyBAS8znQJvmqbbMowgFZe3UMLAN78CETZHGM OLBPB873oWyZ07Ar4v/SL5/aD+FRj2VnYEcGwt0HMmMyaN6ed8Udj4OTNZ7ceZA1Tw8/lZuI KCamj0XfJIK6376RCGnqjsEfS65P1KWZXfWphCKWp2c7uWKtau1q8pgiVRoBSAmjvfXRrIvK LhhQyNOiCUDKrvEWpoeq9y5GTrY27ncLov8nSR/SUPOw5HwJmzdFjhOF9XAOtiND/QRH886O IohdlnUu668mwLCmL2ROe7XWcTkFQWLDg+5b0bC9dgfL+HHpWGUdQPG3CCyPG5LfDmnmuXkE eU1kSD27kFe1kM6pfqpCydJW66DuwoMAEQEAAcLBlwQYAQgADwUCX/hZKwIbDAUJD4vdFwA8 CRBFNcDn2xbxSAkQRTXA59sW8UgJEEU1wOfbFvFICRBFNcDn2xbxSAkQRTXA59sW8UgJEEU1 wOfbFvFIQHUP/jKpA/Xco+eCnh1t4jR9c/8AiE1JR+3txOvsaMK8bWjnDtY5bIxOVvVPMUAI DUjNhSWVbHxPt+sZxEol+6oo9IP6MnWYxgx3IW2BWQUlYDyXzH3S8t7YxVo92+yD4kgZLOdq sKEJ2efr8OSgL4tcbAWA36UB8bOOHkOUXzoLLVN4qjuyRn9BPADGpcfxXEQb9iGVwbEZzfJ6 OtvbOHO0qfI3aX7btjqo2muhD1B8auhLQBVOfpn7LOnL8Hk6QKvkFEC3nqBMQbFUSLarmtXa o4cXSyLDmj+efMhbaimgbwxTxh125/ZaYE1q+LdHyHtbbPLAaxHr3dxPk1p0rjQxxXKG7k0p aal8dcVxp0yGEXOeuXr7Xba+uquF1wLf8kZRD0g7L31py3ay3cw+f3ADF/AgC+8lrlUlODa9 +z9sU7RKGF0fAY1gXV8P6GGPlVGJronrSIM2nSMkcCRJzg9vmPGAvrljQTqDQOf12s0jtevq VelIncMyQacOmw6DGKXsUiGRMNsobYe2BWrfXxoYFZ/0biIPnlY23MImgFUWZjnjD1jvkMzH 0u16cXBgjEAkPq5xy21RvXkwCt4T3XzOglDsxi22jmCSLTx45CGkEJaHLJ9tllkjrd3dQVIw P8hzeF0pGduCQAurcejd++jxzlqDk1hIuG9BqPySrt5AIMEG
In-Reply-To: <CALNQ_j+sO_si6_DCgGWpRU3NTeZa49QvfEDT6QMHZqd288VG3A@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------KbjwrJJPZw00OptRDLT4mcFG"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/60qUfvQW7x75tqwNsKOGmCZQCzE>
Subject: Re: [OAUTH-WG] redirect uri and portals
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2023 15:00:32 -0000
The benefit of not storing the state of all users on the server-side is still present. The client only needs to store and use *one *key-pair for all JWTs. On 07.03.2023 15:57, Yannick Majoros wrote: > I'm still missing the point: > - any key used to sign or encrypt the state... is state itself > - if we can store that key (or anything, like an url to go back to > after login), why bother passing the state around? > > > Le mar. 7 mars 2023 à 15:07, Hannes Tschofenig > <hannes.tschofenig@gmx.net> a écrit : > > Hi Yannick, > > > Am 07.03.2023 um 14:25 schrieb Yannick Majoros: >> One possible solution: Store the redirect information in a signed >> JWT and place the JWT in the state parameter. I don't think this >> is written somewhere in the security BCP but I think this is a >> solutions used in the wild by multiple clients. > > Section 4.7.1 of the security BCP lists this solution as one > possible countermeasure: > > * > > If|state|is used for carrying application state, and integrity > of its contents is a concern, clients MUST > protect|state|against tampering and swapping. This can be > achieved by binding the contents of state to the browser > session and/or signed/encrypted state values as discussed in > the now-expired draft[I-D.bradley-oauth-jwt-encoded-state > <https://www.ietf.org/archive/id/draft-bradley-oauth-jwt-encoded-state-09.txt>].¶ > <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.7.1-3.2.1> > > > The referenced draft has, however, expired: > https://www.ietf.org/archive/id/draft-bradley-oauth-jwt-encoded-state-09.txt > > > Ciao > > Hannes > > > > > > > -- > Yannick Majoros > Valuya sprl > -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Save the date: 11.-12.5.2023. Join us in celebrating the 5th anniversary of RuhrSec - the IT security conference in Bochum:https://www.ruhrsec.de/2023 Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
- [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Vittorio Bertocci
- Re: [OAUTH-WG] redirect uri and portals Aaron Parecki
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Aaron Parecki
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Rodrigo Speller
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Jaimandeep Singh
- Re: [OAUTH-WG] redirect uri and portals Neil Madden
- Re: [OAUTH-WG] redirect uri and portals Hans Zandbelt
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Hannes Tschofenig
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Jaimandeep Singh