Re: [OAUTH-WG] open redirect in rfc6749
John Bradley <ve7jtb@ve7jtb.com> Wed, 03 September 2014 17:52 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB12A1A042D for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 10:52:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.145
X-Spam-Level:
X-Spam-Status: No, score=-0.145 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T6LVxakWcnd4 for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 10:52:48 -0700 (PDT)
Received: from mail-wi0-f169.google.com (mail-wi0-f169.google.com [209.85.212.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66B481A03C0 for <oauth@ietf.org>; Wed, 3 Sep 2014 10:52:32 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id n3so6308569wiv.0 for <oauth@ietf.org>; Wed, 03 Sep 2014 10:52:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=hS0eELgW664pYTQ6BdlqT9v84CVtgoh6Yu5OqX03fUw=; b=QHoipcT28iQk8p/WOQd+oyd23ljnWgEBSZAHw5ptmA8aJf9x3LtxjbDrVBSRX7u2nO i235i7gmx/iAaGhOlZ+suLUQ7lOHBOfSBM12gI7dpH9v+oNJBSqGLa2Uw/QDdNxG0Im/ YnVDM8x9xz/GlKBGBu//PuxcDqN5xoCz+vYYLK/bH7fQ9McNdC48xmbSzPaH79AyzN7q foOItz372uxoTiTiPBIraS0Bjdq+pumm7QASQBujqgzQlVFT6Knip94GTJQLNBRcwolh c+xyit400NQ/TXjWgfijeOB16NLtExrRua+tFN8/uTUrELV8POt4ec4smYAiffFD6bRz 7aoA==
X-Gm-Message-State: ALoCoQmbCTAYqhbZR1bKJMw6RkWzC4t3fisbKwP/9b/lTvOkLe2Z+1NZO1+GdfygzCtcYU4Rpm1P
X-Received: by 10.194.173.234 with SMTP id bn10mr25701777wjc.81.1409766750944; Wed, 03 Sep 2014 10:52:30 -0700 (PDT)
Received: from [10.103.63.214] ([188.207.69.117]) by mx.google.com with ESMTPSA id s1sm5870860wiw.6.2014.09.03.10.52.29 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 03 Sep 2014 10:52:29 -0700 (PDT)
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com> <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com> <58148F80-C2DD-45C5-8D6F-CED74A90AA75@adobe.com> <5407470B.2010904@pingidentity.com> <25055629-26A9-478D-AE7A-3C295E3166EE@adobe.com> <54074B7A.7080907@pingidentity.com> <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com>
Content-Type: multipart/signed; micalg="sha1"; boundary="Apple-Mail-A5EC6E5B-842C-4872-9924-099E50C92F5C"; protocol="application/pkcs7-signature"
Content-Transfer-Encoding: 7bit
Message-Id: <387F387A-4743-488F-BBD0-8FB8232FA8E9@ve7jtb.com>
X-Mailer: iPhone Mail (11D257)
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Wed, 03 Sep 2014 19:52:25 +0200
To: Antonio Sanso <asanso@adobe.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/8yWjLMZ0M-JUuXMo1LKCrluRowQ
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 17:52:50 -0000
I agree that the error case where there is no UI is the problem, as it can be used inside a Iframe. However error responses are generally useful. OAuth core is silent on how redirect_uri are registered and if they are verified. Dynamic registration should warn about OAuth errors to redirect_uri from untrusted clients. For other registration methods we should update the RFC. John B. Sent from my iPhone > On Sep 3, 2014, at 7:14 PM, Antonio Sanso <asanso@adobe.com> wrote: > > >> On Sep 3, 2014, at 7:10 PM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote: >> >> Is your concern clients that were registered using dynamic client registration? > > yes > >> >> Otherwise the positive case is returning a response to a valid URL that belongs to a client that was registered explicitly by the resource owner > > well AFAIK the resource owner doesn’t register clients… > > >> and the negative case is returning an error to that same URL. > > the difference is the consent screen… in the positive case you need to approve an app.. for the error case no approval is needed,,, > >> >> I fail to see the open redirect. > > why? > >> >> Hans. >> >>> On 9/3/14, 6:56 PM, Antonio Sanso wrote: >>> >>> On Sep 3, 2014, at 6:51 PM, Hans Zandbelt <hzandbelt@pingidentity.com >>> <mailto:hzandbelt@pingidentity.com>> wrote: >>> >>>> Let me try and approach this from a different angle: why would you >>>> call it an open redirect when an invalid scope is provided and call it >>>> correct protocol behavior (hopefully) when a valid scope is provided? >>> >>> as specified below in the positive case (namely when the correct scope >>> is provided) the resource owner MUST approve the app via the consent >>> screen (at least once). >>> >>> >>>> >>>> Hans. >>>> >>>>> On 9/3/14, 6:46 PM, Antonio Sanso wrote: >>>>> hi John, >>>>> On Sep 3, 2014, at 6:14 PM, John Bradley <ve7jtb@ve7jtb.com >>>>> <mailto:ve7jtb@ve7jtb.com> >>>>> <mailto:ve7jtb@ve7jtb.com>> wrote: >>>>> >>>>>> In the example the redirect_uri is vlid for the attacker. >>>>>> >>>>>> The issue is that the AS may be allowing client registrations with >>>>>> arbitrary redirect_uri. >>>>>> >>>>>> In the spec it is unspecified how a AS validates that a client >>>>>> controls the redirect_uri it is registering. >>>>>> >>>>>> I think that if anything it may be the registration step that needs >>>>>> the security consideration. >>>>> >>>>> (this is the first time :p) but I do disagree with you. It would be >>>>> pretty unpractical to block this at registration time…. >>>>> IMHO the best approach is the one taken from Google, namely returning >>>>> 400 with the cause of the error.. >>>>> >>>>> *400.* That’s an error. >>>>> >>>>> *Error: invalid_scope* >>>>> >>>>> Some requested scopes were invalid. {invalid=[l]} >>>>> >>>>> said that I hope you all agree this is an issue in the spec so far…. >>>>> >>>>> regards >>>>> >>>>> antonio >>>>> >>>>>> >>>>>> John B. >>>>>> >>>>>> On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com >>>>>> <mailto:bburke@redhat.com> >>>>>> <mailto:bburke@redhat.com>> wrote: >>>>>> >>>>>>> I don't understand. The redirect uri has to be valid in order for a >>>>>>> redirect to happen. The spec explicitly states this. >>>>>>> >>>>>>>> On 9/3/2014 11:43 AM, Antonio Sanso wrote: >>>>>>>> hi *, >>>>>>>> >>>>>>>> IMHO providers that strictly follow rfc6749 are vulnerable to open >>>>>>>> redirect. >>>>>>>> Let me explain, reading [0] >>>>>>>> >>>>>>>> If the request fails due to a missing, invalid, or mismatching >>>>>>>> redirection URI, or if the client identifier is missing or invalid, >>>>>>>> the authorization server SHOULD inform the resource owner of the >>>>>>>> error and MUST NOT automatically redirect the user-agent to the >>>>>>>> invalid redirection URI. >>>>>>>> >>>>>>>> If the resource owner denies the access request or if the request >>>>>>>> fails for reasons other than a missing or invalid redirection URI, >>>>>>>> the authorization server informs the client by adding the following >>>>>>>> parameters to the query component of the redirection URI using the >>>>>>>> "application/x-www-form-urlencoded" format, perAppendix B >>>>>>>> <https://tools.ietf.org/html/rfc6749#appendix-B>: >>>>>>>> >>>>>>>> Now let’s assume this. >>>>>>>> I am registering a new client to thevictim.com >>>>>>>> <http://victim.com/><http://victim.com <http://victim.com/>> >>>>>>>> <http://victim.com <http://victim.com/>> >>>>>>>> provider. >>>>>>>> I register redirect uriattacker.com >>>>>>>> <http://attacker.com/><http://attacker.com <http://attacker.com/>> >>>>>>>> <http://attacker.com <http://attacker.com/>>. >>>>>>>> >>>>>>>> According to [0] if I pass e.g. the wrong scope I am redirected >>>>>>>> back to >>>>>>>> attacker.com <http://attacker.com/><http://attacker.com >>>>>>>> <http://attacker.com/>> <http://attacker.com <http://attacker.com/>>. >>>>>>>> Namely I prepare a url that is in this form: >>>>>>>> >>>>>>>> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com >>>>>>>> >>>>>>>> and this is works as an open redirector. >>>>>>>> Of course in the positive case if all the parameters are fine this >>>>>>>> doesn’t apply since the resource owner MUST approve the app via the >>>>>>>> consent screen (at least once). >>>>>>>> >>>>>>>> A solution would be to return error 400 rather than redirect to the >>>>>>>> redirect URI (as some provider e.g. Google do) >>>>>>>> >>>>>>>> WDYT? >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> antonio >>>>>>>> >>>>>>>> [0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1 >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> OAuth mailing list >>>>>>>> OAuth@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>> >>>>>>> -- >>>>>>> Bill Burke >>>>>>> JBoss, a division of Red Hat >>>>>>> http://bill.burkecentral.com >>>>>>> >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org> >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> -- >>>> Hans Zandbelt | Sr. Technical Architect >>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>| Ping >>>> Identity >> >> -- >> Hans Zandbelt | Sr. Technical Architect >> hzandbelt@pingidentity.com | Ping Identity >
- [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Takahiko Kawasaki
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Torsten Lodderstedt
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Sergey Beryozkin
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Sergey Beryozkin
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso