Re: [OAUTH-WG] open redirect in rfc6749
Hans Zandbelt <hzandbelt@pingidentity.com> Thu, 04 September 2014 12:10 UTC
Return-Path: <hzandbelt@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EE461A8892 for <oauth@ietfa.amsl.com>; Thu, 4 Sep 2014 05:10:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.746
X-Spam-Level:
X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ntcSPzydfZmq for <oauth@ietfa.amsl.com>; Thu, 4 Sep 2014 05:10:34 -0700 (PDT)
Received: from na3sys009aog136.obsmtp.com (na3sys009aog136.obsmtp.com [74.125.149.85]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 757E31A0111 for <oauth@ietf.org>; Thu, 4 Sep 2014 05:09:29 -0700 (PDT)
Received: from mail-wi0-f173.google.com ([209.85.212.173]) (using TLSv1) by na3sys009aob136.postini.com ([74.125.148.12]) with SMTP ID DSNKVAhWeAAC6nrxxQm3ptkXXUl+Wcu7UIg4@postini.com; Thu, 04 Sep 2014 05:09:29 PDT
Received: by mail-wi0-f173.google.com with SMTP id cc10so952245wib.6 for <oauth@ietf.org>; Thu, 04 Sep 2014 05:09:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=5RZbxxC8UBMlmVwhKMODYORei752rdfhWWqDWh4iQ8E=; b=cWTlMXhsDjYZE4IjaFIo1Vc4J/oi0tHvL2rAiEVR3Olt1mHh8McY1dffjWIz+x4+bv 72cxvH5U2KpPkRKc7umadeXQp48COPBNTB1eGgfhuwcIkG4TSchM33GdKUyKxTrN+OWE RqzlXRscuy6bxJO+LIuLqs0qBC5Swhg/8TM5ZKeaZk+9JoQL6QjVs5X2xFvTdsC0mb2E HQhcPPfRfTaaJva1yvJm9hDovuG1bQtbLMEId00bq0r1kTcN4yAV83TGwiDQadzB43Dp 4OMAmuBHVcQAbuJugy/tSmAnh8Fd0M/nxrFiwhUJ/esm8xgQT4GwG2u0w3k5712KY7nd xbPQ==
X-Gm-Message-State: ALoCoQkqIgRYdDeNLnrrHViYyu0KhHuTZGDChnNy2d8Ua2W5DrDF7FZbW39WiujTkq4b1ss2sCGnimDGPJA/QMiym8YIwvmzWumLZEto08Z3usJ/dApvzJ/yv7KF7SQSVwpIClsJ6mzI
X-Received: by 10.194.238.195 with SMTP id vm3mr5277730wjc.91.1409832567863; Thu, 04 Sep 2014 05:09:27 -0700 (PDT)
X-Received: by 10.194.238.195 with SMTP id vm3mr5277683wjc.91.1409832567520; Thu, 04 Sep 2014 05:09:27 -0700 (PDT)
Received: from [192.168.10.102] (5ED52E8A.cm-7-6a.dynamic.ziggo.nl. [94.213.46.138]) by mx.google.com with ESMTPSA id p1sm19226721wjy.22.2014.09.04.05.09.26 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 04 Sep 2014 05:09:26 -0700 (PDT)
Message-ID: <54085675.3060507@pingidentity.com>
Date: Thu, 04 Sep 2014 14:09:25 +0200
From: Hans Zandbelt <hzandbelt@pingidentity.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Antonio Sanso <asanso@adobe.com>
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com> <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com> <58148F80-C2DD-45C5-8D6F-CED74A90AA75@adobe.com> <5407470B.2010904@pingidentity.com> <25055629-26A9-478D-AE7A-3C295E3166EE@adobe.com> <54074B7A.7080907@pingidentity.com> <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com> <54075296.9090007@pingidentity.com> <848F15BD-894D-48C6-B901-B5565BDE4C08@adobe.com> <05C25C09-598C-4D7F-A07A-C93DEC17D10B@adobe.com> <255386B5-79A1-4CD7-90E6-F3F6E23F51F8@mitre.org> <540818FD.1010202@pingidentity.com> <809F7DAB-021D-4770-9D7B-E996D0D32D45@adobe.com> <540829AF.9030804@pingidentity.com> <DDB844F5-4008-47FF-BC82-16EB61E276D4@adobe.com> <540853E1.3090102@pingidentity.com>
In-Reply-To: <540853E1.3090102@pingidentity.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/B1cZCj2ZNN73RKghBdMKM52HU7E
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 12:10:36 -0000
Maybe just to clarify my point: where did the client_id in the example that you gave come from? Hans. On 9/4/14, 1:58 PM, Hans Zandbelt wrote: > yes, you are right about the unrestricted client use case; I just got > caught by the fact that you were talking about *unrestricted* client > registration all the time (standards-based or not) which deserves extra > caution whereas Google (and the spec) also provides *restricted* client > registration the deviation or caution is not needed > > Hans. > > On 9/4/14, 1:44 PM, Antonio Sanso wrote: >> hi Hans >> >> On Sep 4, 2014, at 10:58 AM, Hans Zandbelt >> <hzandbelt@pingidentity.com> wrote: >> >>> Agreed, I see you point about the big providers using exactly the >>> unrestricted flow for which the trust model (by definition) is out of >>> scope of the spec. This may be the reason for the implemented >>> behavior indeed and a security consideration is a good idea for other >>> deployments; there's not much more that can be done. >>> >>> But Google also provides explicit registration for API clients (which >>> is where my mind was): >>> https://developers.google.com/accounts/docs/OAuth2 (step 1) >>> and they would not need to deviate from the spec for that, nor would >>> the spec need to change >> >> I do really struggle to understand your point here :) (at least the >> "nor would the spec need to change part" :)). >> >> Probably I need to explain myself better. >> Since Google is “safe” (due the “deviation” from the spec) I would >> take Google as example here (I could point out open redirector in the >> wild to proof my point but I will not do…) >> >> Let’s start from scratch… >> >> If Google would have something like >> http://www.google.com?goto=attacker.com this is without any doubt an >> open redirector… see also OWASP 10 [0]. >> >> Now if Google would have implemented the spec rfc6749 verbatim >> something like >> >> https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=788732372078.apps.googleusercontent.com&scope=WRONG_SCOPE&redirect_uri=http://attacker.com >> >> >> would have redirect to http://attacker.com. >> >> So why this is not an open redirect ? :) >> >> Now maybe we are saying the same thing but I felt like better explain >> my point :) >> >> regards >> >> antonio >> >> [0] >> https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards >> >> >> >>> >>> Hans. >>> >>> On 9/4/14, 9:50 AM, Antonio Sanso wrote: >>>> Hi Hans, >>>> >>>> I really fail to see how this can be addressed at registration time >>>> for cases where registration is unrestricted (namely all the big >>>> Providers) >>>> >>>> regards >>>> >>>> antonio >>>> >>>> On Sep 4, 2014, at 9:47 AM, Hans Zandbelt >>>> <hzandbelt@pingidentity.com> wrote: >>>> >>>>> Classifying like this must also mean that consent should not be >>>>> stored until the client is considered (admin) trusted, and admin >>>>> policy would interfere with user policy. >>>>> >>>>> IMHO the security consideration would apply only to dynamically >>>>> registered clients where registration is unrestricted; any other >>>>> form would involve some form of admin/user approval at registration >>>>> time, overcoming the concern at authorization time: there's no >>>>> auto-redirect flow possible for unknown clients. >>>>> >>>>> Hans. >>>>> >>>>> On 9/4/14, 9:04 AM, Richer, Justin P. wrote: >>>>>> I think this advice isn't a bad idea, though it's of course up to >>>>>> the AS >>>>>> what an "untrusted" client really is. In practice, this is something >>>>>> that was registered by a non-sysadmin type person, either a >>>>>> dynamically >>>>>> registered client or something available through self-service >>>>>> registration of some type. It's also reasonable that a client, even >>>>>> dynamically registered, would be considered "trusted" if enough >>>>>> time has >>>>>> passed and enough users have used it without things blowing up. >>>>>> >>>>>> -- Justin >>>>>> >>>>>> On Sep 4, 2014, at 1:26 AM, Antonio Sanso <asanso@adobe.com >>>>>> <mailto:asanso@adobe.com>> wrote: >>>>>> >>>>>>> hi again *, >>>>>>> >>>>>>> after thinking a bit further IMHO an alternative for the untrusted >>>>>>> clients can also be to always present the consent screen (at least >>>>>>> once) before any redirect. >>>>>>> Namely all providers I have seen show the consent screen if all the >>>>>>> request parameters are correct and if the user accepts the redirect >>>>>>> happens. >>>>>>> If one of the parameter (with the exclusion of the client id and >>>>>>> redirect uri that are handled differently as for spec) is wrong >>>>>>> though >>>>>>> the redirect happens without the consent screen being shown.. >>>>>>> >>>>>>> WDYT? >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> antonio >>>>>>> >>>>>>> On Sep 3, 2014, at 7:54 PM, Antonio Sanso <asanso@adobe.com >>>>>>> <mailto:asanso@adobe.com>> wrote: >>>>>>> >>>>>>>> Well, >>>>>>>> I do not know if this is only dynamic registration... >>>>>>>> let’s talk about real use cases, namely e.g. Google , Facebook , >>>>>>>> etc.. is that dynamic client registration? I do not know… :) >>>>>>>> >>>>>>>> Said that what the other guys think? :) >>>>>>>> Would this deserve some “spec adjustment” ? I mean there is a >>>>>>>> reason >>>>>>>> if Google is by choice “violating” the spec right? (I assume to >>>>>>>> avoid >>>>>>>> open redirect…) >>>>>>>> But other implementers do follow the spec hence they have this open >>>>>>>> redirector… and this is not nice IMHO... >>>>>>>> >>>>>>>> >>>>>>>> On Sep 3, 2014, at 7:40 PM, Hans Zandbelt >>>>>>>> <hzandbelt@pingidentity.com >>>>>>>> <mailto:hzandbelt@pingidentity.com>> wrote: >>>>>>>> >>>>>>>>> On 9/3/14, 7:14 PM, Antonio Sanso wrote: >>>>>>>>>> >>>>>>>>>> On Sep 3, 2014, at 7:10 PM, Hans Zandbelt >>>>>>>>>> <hzandbelt@pingidentity.com >>>>>>>>>> <mailto:hzandbelt@pingidentity.com>> wrote: >>>>>>>>>> >>>>>>>>>>> Is your concern clients that were registered using dynamic >>>>>>>>>>> client >>>>>>>>>>> registration? >>>>>>>>>> >>>>>>>>>> yes >>>>>>>>> >>>>>>>>> I think your issue is then with the trust model of dynamic client >>>>>>>>> registration; that is left out of scope of the dynreg spec (and >>>>>>>>> the >>>>>>>>> concept is not even part of the core spec), but unless you want >>>>>>>>> everything to be open (which typically would not be the case), >>>>>>>>> then >>>>>>>>> it would involve approval somewhere in the process before the >>>>>>>>> client >>>>>>>>> is registered. Without dynamic client registration that >>>>>>>>> approval is >>>>>>>>> admin based or resource owner based, depending on use case. >>>>>>>>> >>>>>>>>>>> Otherwise the positive case is returning a response to a >>>>>>>>>>> valid URL >>>>>>>>>>> that belongs to a client that was registered explicitly by the >>>>>>>>>>> resource owner >>>>>>>>>> >>>>>>>>>> well AFAIK the resource owner doesn’t register clients… >>>>>>>>> >>>>>>>>> roles can collapse in use cases especially when using dynamic >>>>>>>>> client >>>>>>>>> registration >>>>>>>>> >>>>>>>>>>> and the negative case is returning an error to that same URL. >>>>>>>>>> >>>>>>>>>> the difference is the consent screen… in the positive case you >>>>>>>>>> need >>>>>>>>>> to approve an app.. for the error case no approval is needed,,, >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I fail to see the open redirect. >>>>>>>>>> >>>>>>>>>> why? >>>>>>>>> >>>>>>>>> because the client and thus the fixed URL are explicitly >>>>>>>>> approved at >>>>>>>>> some point >>>>>>>>> >>>>>>>>> Hans. >>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Hans. >>>>>>>>>>> >>>>>>>>>>> On 9/3/14, 6:56 PM, Antonio Sanso wrote: >>>>>>>>>>>> >>>>>>>>>>>> On Sep 3, 2014, at 6:51 PM, Hans Zandbelt >>>>>>>>>>>> <hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com> >>>>>>>>>>>> <mailto:hzandbelt@pingidentity.com>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Let me try and approach this from a different angle: why >>>>>>>>>>>>> would you >>>>>>>>>>>>> call it an open redirect when an invalid scope is provided and >>>>>>>>>>>>> call it >>>>>>>>>>>>> correct protocol behavior (hopefully) when a valid scope is >>>>>>>>>>>>> provided? >>>>>>>>>>>> >>>>>>>>>>>> as specified below in the positive case (namely when the >>>>>>>>>>>> correct >>>>>>>>>>>> scope >>>>>>>>>>>> is provided) the resource owner MUST approve the app via the >>>>>>>>>>>> consent >>>>>>>>>>>> screen (at least once). >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Hans. >>>>>>>>>>>>> >>>>>>>>>>>>> On 9/3/14, 6:46 PM, Antonio Sanso wrote: >>>>>>>>>>>>>> hi John, >>>>>>>>>>>>>> On Sep 3, 2014, at 6:14 PM, John Bradley <ve7jtb@ve7jtb.com >>>>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com> >>>>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com> >>>>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> In the example the redirect_uri is vlid for the attacker. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The issue is that the AS may be allowing client >>>>>>>>>>>>>>> registrations with >>>>>>>>>>>>>>> arbitrary redirect_uri. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> In the spec it is unspecified how a AS validates that a >>>>>>>>>>>>>>> client >>>>>>>>>>>>>>> controls the redirect_uri it is registering. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I think that if anything it may be the registration step >>>>>>>>>>>>>>> that >>>>>>>>>>>>>>> needs >>>>>>>>>>>>>>> the security consideration. >>>>>>>>>>>>>> >>>>>>>>>>>>>> (this is the first time :p) but I do disagree with you. It >>>>>>>>>>>>>> would be >>>>>>>>>>>>>> pretty unpractical to block this at registration time…. >>>>>>>>>>>>>> IMHO the best approach is the one taken from Google, namely >>>>>>>>>>>>>> returning >>>>>>>>>>>>>> 400 with the cause of the error.. >>>>>>>>>>>>>> >>>>>>>>>>>>>> *400.* That’s an error. >>>>>>>>>>>>>> >>>>>>>>>>>>>> *Error: invalid_scope* >>>>>>>>>>>>>> >>>>>>>>>>>>>> Some requested scopes were invalid. {invalid=[l]} >>>>>>>>>>>>>> >>>>>>>>>>>>>> said that I hope you all agree this is an issue in the >>>>>>>>>>>>>> spec so >>>>>>>>>>>>>> far…. >>>>>>>>>>>>>> >>>>>>>>>>>>>> regards >>>>>>>>>>>>>> >>>>>>>>>>>>>> antonio >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> John B. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com >>>>>>>>>>>>>>> <mailto:bburke@redhat.com> >>>>>>>>>>>>>>> <mailto:bburke@redhat.com> >>>>>>>>>>>>>>> <mailto:bburke@redhat.com>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I don't understand. The redirect uri has to be valid in >>>>>>>>>>>>>>>> order for a >>>>>>>>>>>>>>>> redirect to happen. The spec explicitly states this. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 9/3/2014 11:43 AM, Antonio Sanso wrote: >>>>>>>>>>>>>>>>> hi *, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> IMHO providers that strictly follow rfc6749 are vulnerable >>>>>>>>>>>>>>>>> to open >>>>>>>>>>>>>>>>> redirect. >>>>>>>>>>>>>>>>> Let me explain, reading [0] >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If the request fails due to a missing, invalid, or >>>>>>>>>>>>>>>>> mismatching >>>>>>>>>>>>>>>>> redirection URI, or if the client identifier is missing or >>>>>>>>>>>>>>>>> invalid, >>>>>>>>>>>>>>>>> the authorization server SHOULD inform the resource >>>>>>>>>>>>>>>>> owner of the >>>>>>>>>>>>>>>>> error and MUST NOT automatically redirect the >>>>>>>>>>>>>>>>> user-agent to the >>>>>>>>>>>>>>>>> invalid redirection URI. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If the resource owner denies the access request or if the >>>>>>>>>>>>>>>>> request >>>>>>>>>>>>>>>>> fails for reasons other than a missing or invalid >>>>>>>>>>>>>>>>> redirection URI, >>>>>>>>>>>>>>>>> the authorization server informs the client by adding the >>>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>>> parameters to the query component of the redirection URI >>>>>>>>>>>>>>>>> using the >>>>>>>>>>>>>>>>> "application/x-www-form-urlencoded" format, perAppendix B >>>>>>>>>>>>>>>>> <https://tools.ietf.org/html/rfc6749#appendix-B>: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Now let’s assume this. >>>>>>>>>>>>>>>>> I am registering a new client to thevictim.com >>>>>>>>>>>>>>>>> <http://thevictim.com/> >>>>>>>>>>>>>>>>> <http://victim.com/><http://victim.com >>>>>>>>>>>>>>>>> <http://victim.com/> >>>>>>>>>>>>>>>>> <http://victim.com/>> >>>>>>>>>>>>>>>>> <http://victim.com <http://victim.com/> >>>>>>>>>>>>>>>>> <http://victim.com/>> >>>>>>>>>>>>>>>>> provider. >>>>>>>>>>>>>>>>> I register redirect uriattacker.com >>>>>>>>>>>>>>>>> <http://uriattacker.com/> >>>>>>>>>>>>>>>>> <http://attacker.com/><http://attacker.com >>>>>>>>>>>>>>>>> <http://attacker.com/> <http://attacker.com/>> >>>>>>>>>>>>>>>>> <http://attacker.com <http://attacker.com/> >>>>>>>>>>>>>>>>> <http://attacker.com/>>. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> According to [0] if I pass e.g. the wrong scope I am >>>>>>>>>>>>>>>>> redirected >>>>>>>>>>>>>>>>> back to >>>>>>>>>>>>>>>>> attacker.com <http://attacker.com/> >>>>>>>>>>>>>>>>> <http://attacker.com/><http://attacker.com >>>>>>>>>>>>>>>>> <http://attacker.com/> >>>>>>>>>>>>>>>>> <http://attacker.com/>> <http://attacker.com >>>>>>>>>>>>>>>>> <http://attacker.com/> <http://attacker.com/>>. >>>>>>>>>>>>>>>>> Namely I prepare a url that is in this form: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> and this is works as an open redirector. >>>>>>>>>>>>>>>>> Of course in the positive case if all the parameters are >>>>>>>>>>>>>>>>> fine this >>>>>>>>>>>>>>>>> doesn’t apply since the resource owner MUST approve the >>>>>>>>>>>>>>>>> app >>>>>>>>>>>>>>>>> via the >>>>>>>>>>>>>>>>> consent screen (at least once). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> A solution would be to return error 400 rather than >>>>>>>>>>>>>>>>> redirect >>>>>>>>>>>>>>>>> to the >>>>>>>>>>>>>>>>> redirect URI (as some provider e.g. Google do) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> WDYT? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> regards >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> antonio >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> [0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>> OAuth mailing list >>>>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Bill Burke >>>>>>>>>>>>>>>> JBoss, a division of Red Hat >>>>>>>>>>>>>>>> http://bill.burkecentral.com >>>>>>>>>>>>>>>> <http://bill.burkecentral.com/> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> OAuth mailing list >>>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>>>>>>>>> <mailto:OAuth@ietf.org> >>>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>> OAuth mailing list >>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>>>>>>>> <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org> >>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> OAuth mailing list >>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>>>>>>> <mailto:OAuth@ietf.org> >>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Hans Zandbelt | Sr. Technical Architect >>>>>>>>>>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com> >>>>>>>>>>>>> <mailto:hzandbelt@pingidentity.com>| Ping >>>>>>>>>>>>> Identity >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Hans Zandbelt | Sr. Technical Architect >>>>>>>>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com> | >>>>>>>>>>> Ping Identity >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Hans Zandbelt | Sr. Technical Architect >>>>>>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>| >>>>>>>>> Ping >>>>>>>>> Identity >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>> >>>>> -- >>>>> Hans Zandbelt | Sr. Technical Architect >>>>> hzandbelt@pingidentity.com | Ping Identity >>>> >>> >>> -- >>> Hans Zandbelt | Sr. Technical Architect >>> hzandbelt@pingidentity.com | Ping Identity >> > -- Hans Zandbelt | Sr. Technical Architect hzandbelt@pingidentity.com | Ping Identity
- [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Takahiko Kawasaki
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Torsten Lodderstedt
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Sergey Beryozkin
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Sergey Beryozkin
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso