IETF Logo Mail Archive

Re: [OAUTH-WG] End-User Authorization Endpoint is an Open Redirect

Luke Shepard <lshepard@facebook.com> Mon, 26 July 2010 19:01 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8DF53A6934 for <oauth@core3.amsl.com>; Mon, 26 Jul 2010 12:01:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.245
X-Spam-Level:
X-Spam-Status: No, score=-2.245 tagged_above=-999 required=5 tests=[AWL=0.156, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hp01XNFG4yk5 for <oauth@core3.amsl.com>; Mon, 26 Jul 2010 12:01:16 -0700 (PDT)
Received: from mx-out.facebook.com (outmail015.snc1.tfbnw.net [69.63.178.174]) by core3.amsl.com (Postfix) with ESMTP id 3870D3A6886 for <oauth@ietf.org>; Mon, 26 Jul 2010 12:00:58 -0700 (PDT)
Received: from [10.18.255.123] ([10.18.255.123:22656] helo=mail.thefacebook.com) by mta007.snc1.facebook.com (envelope-from <lshepard@facebook.com>) (ecelerity 2.2.2.45 r(34067)) with ESMTP id 32/B8-11806-F7BDD4C4; Mon, 26 Jul 2010 12:01:19 -0700
Received: from SC-MBX06.TheFacebook.com ([169.254.5.17]) by sc-hub04.TheFacebook.com ([fe80::8df5:7f90:d4a0:bb9%11]) with mapi; Mon, 26 Jul 2010 12:01:18 -0700
From: Luke Shepard <lshepard@facebook.com>
To: Marius Scurtescu <mscurtescu@google.com>
Thread-Topic: [OAUTH-WG] End-User Authorization Endpoint is an Open Redirect
Thread-Index: AQHLKxH71feAsN0cgk2TmkMqUQCpkpLCz8MAgABQOyOAAM+KAIAAGYaA
Date: Mon, 26 Jul 2010 19:01:17 +0000
Message-ID: <2FA80E40-B112-457A-9179-040EDD8B1642@facebook.com>
References: <AANLkTimstdtTJLjPF3v3RHd-=ma6irCuUgGiULiGhW4H@mail.gmail.com> <AANLkTinQpAgV8KBEWFtrTB1UgiVs1dnTwVPdL-cScnx6@mail.gmail.com> <D0061622-4DEB-4374-BF67-F3F45F9951B3@facebook.com> <D24C564ACEAD16459EF2526E1D7D605D0D3C09F593@IMCMBX3.MITRE.ORG> <AANLkTi=xa6L8UE2wUOr73wDBMe1hQa9XAcFpTbefffca@mail.gmail.com>
In-Reply-To: <AANLkTi=xa6L8UE2wUOr73wDBMe1hQa9XAcFpTbefffca@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9030aae3-e545-4f71-ae0c-baf2b89a910f>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] End-User Authorization Endpoint is an Open Redirect
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2010 19:01:17 -0000

Correct. If the user has to approve the response, then it doesn't function as an open redirector. I'm only worried about returning an error immediately.

On Jul 26, 2010, at 10:29 AM, Marius Scurtescu wrote:

> On Mon, Jul 26, 2010 at 5:07 AM, Richer, Justin P. <jricher@mitre.org> wrote:
>> And this is even a bigger potential problem when you combine it with unregistered or dynamically-registered clients, which we know some instances are going to support. In these cases, though, it's hard to trust *any* URL that the client is asking for, even for valid responses.
> 
> The user must approve a valid response, so it should not work as a
> redirector. Right?
> 
> An immediate mode will only work if the user explicitly approved at
> least once in the past.
> 
> Marius

v2.35.0 | Report a Bug | By Email | System Status