IETF Logo Mail Archive

Re: [OAUTH-WG] open redirect in rfc6749

John Bradley <ve7jtb@ve7jtb.com> Wed, 03 September 2014 17:52 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB12A1A042D for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 10:52:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.145
X-Spam-Level:
X-Spam-Status: No, score=-0.145 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T6LVxakWcnd4 for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 10:52:48 -0700 (PDT)
Received: from mail-wi0-f169.google.com (mail-wi0-f169.google.com [209.85.212.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66B481A03C0 for <oauth@ietf.org>; Wed, 3 Sep 2014 10:52:32 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id n3so6308569wiv.0 for <oauth@ietf.org>; Wed, 03 Sep 2014 10:52:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=hS0eELgW664pYTQ6BdlqT9v84CVtgoh6Yu5OqX03fUw=; b=QHoipcT28iQk8p/WOQd+oyd23ljnWgEBSZAHw5ptmA8aJf9x3LtxjbDrVBSRX7u2nO i235i7gmx/iAaGhOlZ+suLUQ7lOHBOfSBM12gI7dpH9v+oNJBSqGLa2Uw/QDdNxG0Im/ YnVDM8x9xz/GlKBGBu//PuxcDqN5xoCz+vYYLK/bH7fQ9McNdC48xmbSzPaH79AyzN7q foOItz372uxoTiTiPBIraS0Bjdq+pumm7QASQBujqgzQlVFT6Knip94GTJQLNBRcwolh c+xyit400NQ/TXjWgfijeOB16NLtExrRua+tFN8/uTUrELV8POt4ec4smYAiffFD6bRz 7aoA==
X-Gm-Message-State: ALoCoQmbCTAYqhbZR1bKJMw6RkWzC4t3fisbKwP/9b/lTvOkLe2Z+1NZO1+GdfygzCtcYU4Rpm1P
X-Received: by 10.194.173.234 with SMTP id bn10mr25701777wjc.81.1409766750944; Wed, 03 Sep 2014 10:52:30 -0700 (PDT)
Received: from [10.103.63.214] ([188.207.69.117]) by mx.google.com with ESMTPSA id s1sm5870860wiw.6.2014.09.03.10.52.29 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 03 Sep 2014 10:52:29 -0700 (PDT)
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com> <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com> <58148F80-C2DD-45C5-8D6F-CED74A90AA75@adobe.com> <5407470B.2010904@pingidentity.com> <25055629-26A9-478D-AE7A-3C295E3166EE@adobe.com> <54074B7A.7080907@pingidentity.com> <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com>
Content-Type: multipart/signed; micalg="sha1"; boundary="Apple-Mail-A5EC6E5B-842C-4872-9924-099E50C92F5C"; protocol="application/pkcs7-signature"
Content-Transfer-Encoding: 7bit
Message-Id: <387F387A-4743-488F-BBD0-8FB8232FA8E9@ve7jtb.com>
X-Mailer: iPhone Mail (11D257)
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Wed, 03 Sep 2014 19:52:25 +0200
To: Antonio Sanso <asanso@adobe.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/8yWjLMZ0M-JUuXMo1LKCrluRowQ
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 17:52:50 -0000

I agree that the error case where there is no UI is the problem, as it can be used inside a Iframe. 

However error responses are generally useful.   

OAuth core is silent on how redirect_uri are registered and if they are verified. 

Dynamic registration should warn about OAuth errors to redirect_uri from untrusted clients.  

For other registration methods we should update the RFC. 

John B. 




Sent from my iPhone

> On Sep 3, 2014, at 7:14 PM, Antonio Sanso <asanso@adobe.com> wrote:
> 
> 
>> On Sep 3, 2014, at 7:10 PM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote:
>> 
>> Is your concern clients that were registered using dynamic client registration?
> 
> yes
> 
>> 
>> Otherwise the positive case is returning a response to a valid URL that belongs to a client that was registered explicitly by the resource owner
> 
> well AFAIK the resource owner doesn’t register clients…
> 
> 
>> and the negative case is returning an error to that same URL.
> 
> the difference is the consent screen… in the positive case you need to approve an app.. for the error case no approval is needed,,,
> 
>> 
>> I fail to see the open redirect.
> 
> why?
> 
>> 
>> Hans.
>> 
>>> On 9/3/14, 6:56 PM, Antonio Sanso wrote:
>>> 
>>> On Sep 3, 2014, at 6:51 PM, Hans Zandbelt <hzandbelt@pingidentity.com
>>> <mailto:hzandbelt@pingidentity.com>> wrote:
>>> 
>>>> Let me try and approach this from a different angle: why would you
>>>> call it an open redirect when an invalid scope is provided and call it
>>>> correct protocol behavior (hopefully) when a valid scope is provided?
>>> 
>>> as specified below in the positive case (namely when the correct scope
>>> is provided) the resource owner MUST approve the app via the consent
>>> screen (at least once).
>>> 
>>> 
>>>> 
>>>> Hans.
>>>> 
>>>>> On 9/3/14, 6:46 PM, Antonio Sanso wrote:
>>>>> hi John,
>>>>> On Sep 3, 2014, at 6:14 PM, John Bradley <ve7jtb@ve7jtb.com
>>>>> <mailto:ve7jtb@ve7jtb.com>
>>>>> <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>>> 
>>>>>> In the example the redirect_uri is vlid for the attacker.
>>>>>> 
>>>>>> The issue is that the AS may be allowing client registrations with
>>>>>> arbitrary redirect_uri.
>>>>>> 
>>>>>> In the spec it is unspecified how a AS validates that a client
>>>>>> controls the redirect_uri it is registering.
>>>>>> 
>>>>>> I think that if anything it may be the registration step that needs
>>>>>> the security consideration.
>>>>> 
>>>>> (this is the first time :p) but I do disagree with you. It would be
>>>>> pretty unpractical to block this at registration time….
>>>>> IMHO the best approach is the one taken from Google, namely returning
>>>>> 400 with the cause of the error..
>>>>> 
>>>>> *400.* That’s an error.
>>>>> 
>>>>> *Error: invalid_scope*
>>>>> 
>>>>> Some requested scopes were invalid. {invalid=[l]}
>>>>> 
>>>>> said that I hope you all agree this is an issue in the spec so far….
>>>>> 
>>>>> regards
>>>>> 
>>>>> antonio
>>>>> 
>>>>>> 
>>>>>> John B.
>>>>>> 
>>>>>> On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com
>>>>>> <mailto:bburke@redhat.com>
>>>>>> <mailto:bburke@redhat.com>> wrote:
>>>>>> 
>>>>>>> I don't understand.  The redirect uri has to be valid in order for a
>>>>>>> redirect to happen.  The spec explicitly states this.
>>>>>>> 
>>>>>>>> On 9/3/2014 11:43 AM, Antonio Sanso wrote:
>>>>>>>> hi *,
>>>>>>>> 
>>>>>>>> IMHO providers that strictly follow rfc6749 are vulnerable to open
>>>>>>>> redirect.
>>>>>>>> Let me explain, reading [0]
>>>>>>>> 
>>>>>>>> If the request fails due to a missing, invalid, or mismatching
>>>>>>>> redirection URI, or if the client identifier is missing or invalid,
>>>>>>>> the authorization server SHOULD inform the resource owner of the
>>>>>>>> error and MUST NOT automatically redirect the user-agent to the
>>>>>>>> invalid redirection URI.
>>>>>>>> 
>>>>>>>> If the resource owner denies the access request or if the request
>>>>>>>> fails for reasons other than a missing or invalid redirection URI,
>>>>>>>> the authorization server informs the client by adding the following
>>>>>>>> parameters to the query component of the redirection URI using the
>>>>>>>> "application/x-www-form-urlencoded" format, perAppendix B
>>>>>>>> <https://tools.ietf.org/html/rfc6749#appendix-B>:
>>>>>>>> 
>>>>>>>> Now let’s assume this.
>>>>>>>> I am registering a new client to thevictim.com
>>>>>>>> <http://victim.com/><http://victim.com <http://victim.com/>>
>>>>>>>> <http://victim.com <http://victim.com/>>
>>>>>>>> provider.
>>>>>>>> I register redirect uriattacker.com
>>>>>>>> <http://attacker.com/><http://attacker.com <http://attacker.com/>>
>>>>>>>> <http://attacker.com <http://attacker.com/>>.
>>>>>>>> 
>>>>>>>> According to [0] if I pass e.g. the wrong scope I am redirected
>>>>>>>> back to
>>>>>>>> attacker.com <http://attacker.com/><http://attacker.com
>>>>>>>> <http://attacker.com/>> <http://attacker.com <http://attacker.com/>>.
>>>>>>>> Namely I prepare a url that is in this form:
>>>>>>>> 
>>>>>>>> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com
>>>>>>>> 
>>>>>>>> and this is works as an open redirector.
>>>>>>>> Of course in the positive case if all the parameters are fine this
>>>>>>>> doesn’t apply since the resource owner MUST approve the app via the
>>>>>>>> consent screen (at least once).
>>>>>>>> 
>>>>>>>> A solution would be to return error 400 rather than redirect to the
>>>>>>>> redirect URI (as some provider e.g. Google do)
>>>>>>>> 
>>>>>>>> WDYT?
>>>>>>>> 
>>>>>>>> regards
>>>>>>>> 
>>>>>>>> antonio
>>>>>>>> 
>>>>>>>> [0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> 
>>>>>>> --
>>>>>>> Bill Burke
>>>>>>> JBoss, a division of Red Hat
>>>>>>> http://bill.burkecentral.com
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> --
>>>> Hans Zandbelt              | Sr. Technical Architect
>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>| Ping
>>>> Identity
>> 
>> -- 
>> Hans Zandbelt              | Sr. Technical Architect
>> hzandbelt@pingidentity.com | Ping Identity
>

v2.23.0 | Report a Bug | By Email