IETF Logo Mail Archive

Re: [OAUTH-WG] open redirect in rfc6749

Hans Zandbelt <hzandbelt@pingidentity.com> Thu, 04 September 2014 08:58 UTC

Return-Path: <hzandbelt@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D1531A00AA for <oauth@ietfa.amsl.com>; Thu, 4 Sep 2014 01:58:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.746
X-Spam-Level:
X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQIQ_ILgkxyS for <oauth@ietfa.amsl.com>; Thu, 4 Sep 2014 01:58:29 -0700 (PDT)
Received: from na3sys009aog107.obsmtp.com (na3sys009aog107.obsmtp.com [74.125.149.197]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BC3B1A008B for <oauth@ietf.org>; Thu, 4 Sep 2014 01:58:29 -0700 (PDT)
Received: from mail-wg0-f49.google.com ([74.125.82.49]) (using TLSv1) by na3sys009aob107.postini.com ([74.125.148.12]) with SMTP ID DSNKVAgptKrVMw7AsBmDv6IcaXnX02nL1RB5@postini.com; Thu, 04 Sep 2014 01:58:29 PDT
Received: by mail-wg0-f49.google.com with SMTP id y10so9724062wgg.8 for <oauth@ietf.org>; Thu, 04 Sep 2014 01:58:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=aoIWiys9v78a5JUr14fxM5Z0SJMDjkytMcRbFuoAZj4=; b=iOSvpM+Ns9zaYvG66fD4ZZl6XLDTI4/47ekWezNk9OdFmdHdIPg2AlRCqUoabHf9h6 MINqhXxuQrog0vS/U4HxXbZtVWGBjw9DLDF40UVDMgKKvxY6orz2BYmS9EUWpqNCqx9A MrivhmSY6v/HpuQv4y5ZnvWIBv3Dgb0dVY5ZjrmCEcs7qNRkQH/t0AECLs8BGTHQ3Cw3 kW5oRN/pdI774wqC4BNk8Len71h1j8fkdZ3kVjWi+Cv19WqdL94rqiuDaQB2ZkQRiOSg OvHGRl2OzpFu3z5NY5iuj/uwdj1UdsxC+YgiuVAf7afkJzRbYajLG47GLvOm6rnPTSib bYLg==
X-Gm-Message-State: ALoCoQkQFHol5pXS3xjAwPG0kS0kO4+DlGcp6FIYDAi5+xKsD1FUFZ7z4Hi512xe8DfdEGn4SsoqpGWo66hk0UFn7q9uM/XlN4F3bHULoDbWDXvRvzPPUYqg7qUm4bQfjh65HhohYie5
X-Received: by 10.180.85.136 with SMTP id h8mr3951934wiz.67.1409821107576; Thu, 04 Sep 2014 01:58:27 -0700 (PDT)
X-Received: by 10.180.85.136 with SMTP id h8mr3951914wiz.67.1409821107412; Thu, 04 Sep 2014 01:58:27 -0700 (PDT)
Received: from [192.168.10.222] (5ED52E8A.cm-7-6a.dynamic.ziggo.nl. [94.213.46.138]) by mx.google.com with ESMTPSA id z5sm642528wib.20.2014.09.04.01.58.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 04 Sep 2014 01:58:26 -0700 (PDT)
Message-ID: <540829AF.9030804@pingidentity.com>
Date: Thu, 04 Sep 2014 10:58:23 +0200
From: Hans Zandbelt <hzandbelt@pingidentity.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Antonio Sanso <asanso@adobe.com>
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com> <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com> <58148F80-C2DD-45C5-8D6F-CED74A90AA75@adobe.com> <5407470B.2010904@pingidentity.com> <25055629-26A9-478D-AE7A-3C295E3166EE@adobe.com> <54074B7A.7080907@pingidentity.com> <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com> <54075296.9090007@pingidentity.com> <848F15BD-894D-48C6-B901-B5565BDE4C08@adobe.com> <05C25C09-598C-4D7F-A07A-C93DEC17D10B@adobe.com> <255386B5-79A1-4CD7-90E6-F3F6E23F51F8@mitre.org> <540818FD.1010202@pingidentity.com> <809F7DAB-021D-4770-9D7B-E996D0D32D45@adobe.com>
In-Reply-To: <809F7DAB-021D-4770-9D7B-E996D0D32D45@adobe.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/DXHzUShhsMoUjFNk2CHm4FndJmo
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 08:58:31 -0000

Agreed, I see you point about the big providers using exactly the 
unrestricted flow for which the trust model (by definition) is out of 
scope of the spec. This may be the reason for the implemented behavior 
indeed and a security consideration is a good idea for other 
deployments; there's not much more that can be done.

But Google also provides explicit registration for API clients (which is 
where my mind was):
https://developers.google.com/accounts/docs/OAuth2 (step 1)
and they would not need to deviate from the spec for that, nor would the 
spec need to change

Hans.

On 9/4/14, 9:50 AM, Antonio Sanso wrote:
> Hi Hans,
>
> I really fail to see how this can be addressed at registration time for cases where registration is unrestricted (namely all the big Providers)
>
> regards
>
> antonio
>
> On Sep 4, 2014, at 9:47 AM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote:
>
>> Classifying like this must also mean that consent should not be stored until the client is considered (admin) trusted, and admin policy would interfere with user policy.
>>
>> IMHO the security consideration would apply only to dynamically registered clients where registration is unrestricted; any other form would involve some form of admin/user approval at registration time, overcoming the concern at authorization time: there's no auto-redirect flow possible for unknown clients.
>>
>> Hans.
>>
>> On 9/4/14, 9:04 AM, Richer, Justin P. wrote:
>>> I think this advice isn't a bad idea, though it's of course up to the AS
>>> what an "untrusted" client really is. In practice, this is something
>>> that was registered by a non-sysadmin type person, either a dynamically
>>> registered client or something available through self-service
>>> registration of some type. It's also reasonable that a client, even
>>> dynamically registered, would be considered "trusted" if enough time has
>>> passed and enough users have used it without things blowing up.
>>>
>>>   -- Justin
>>>
>>> On Sep 4, 2014, at 1:26 AM, Antonio Sanso <asanso@adobe.com
>>> <mailto:asanso@adobe.com>> wrote:
>>>
>>>> hi again *,
>>>>
>>>> after thinking a bit further IMHO an alternative for the untrusted
>>>> clients can also be to always present the consent screen (at least
>>>> once) before any redirect.
>>>> Namely all providers I have seen show the consent screen if all the
>>>> request parameters are correct and if the user accepts the redirect
>>>> happens.
>>>> If one of the parameter  (with the exclusion of the client id and
>>>> redirect uri that are handled differently as for spec) is wrong though
>>>> the redirect happens without the consent screen being shown..
>>>>
>>>> WDYT?
>>>>
>>>> regards
>>>>
>>>> antonio
>>>>
>>>> On Sep 3, 2014, at 7:54 PM, Antonio Sanso <asanso@adobe.com
>>>> <mailto:asanso@adobe.com>> wrote:
>>>>
>>>>> Well,
>>>>> I do not know if this is only dynamic registration...
>>>>> let’s talk about real use cases, namely e.g. Google , Facebook ,
>>>>> etc.. is that dynamic client registration? I do not know… :)
>>>>>
>>>>> Said that what the other guys think?  :)
>>>>> Would this deserve some “spec adjustment” ? I mean there is a reason
>>>>> if Google is by choice “violating” the spec right? (I assume to avoid
>>>>> open redirect…)
>>>>> But other implementers do follow the spec hence they have this open
>>>>> redirector… and this is not nice IMHO...
>>>>>
>>>>>
>>>>> On Sep 3, 2014, at 7:40 PM, Hans Zandbelt <hzandbelt@pingidentity.com
>>>>> <mailto:hzandbelt@pingidentity.com>> wrote:
>>>>>
>>>>>> On 9/3/14, 7:14 PM, Antonio Sanso wrote:
>>>>>>>
>>>>>>> On Sep 3, 2014, at 7:10 PM, Hans Zandbelt
>>>>>>> <hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>> wrote:
>>>>>>>
>>>>>>>> Is your concern clients that were registered using dynamic client
>>>>>>>> registration?
>>>>>>>
>>>>>>> yes
>>>>>>
>>>>>> I think your issue is then with the trust model of dynamic client
>>>>>> registration; that is left out of scope of the dynreg spec (and the
>>>>>> concept is not even part of the core spec), but unless you want
>>>>>> everything to be open (which typically would not be the case), then
>>>>>> it would involve approval somewhere in the process before the client
>>>>>> is registered. Without dynamic client registration that approval is
>>>>>> admin based or resource owner based, depending on use case.
>>>>>>
>>>>>>>> Otherwise the positive case is returning a response to a valid URL
>>>>>>>> that belongs to a client that was registered explicitly by the
>>>>>>>> resource owner
>>>>>>>
>>>>>>> well AFAIK the resource owner doesn’t register clients…
>>>>>>
>>>>>> roles can collapse in use cases especially when using dynamic client
>>>>>> registration
>>>>>>
>>>>>>>> and the negative case is returning an error to that same URL.
>>>>>>>
>>>>>>> the difference is the consent screen… in the positive case you need
>>>>>>> to approve an app.. for the error case no approval is needed,,,
>>>>>>>
>>>>>>>>
>>>>>>>> I fail to see the open redirect.
>>>>>>>
>>>>>>> why?
>>>>>>
>>>>>> because the client and thus the fixed URL are explicitly approved at
>>>>>> some point
>>>>>>
>>>>>> Hans.
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Hans.
>>>>>>>>
>>>>>>>> On 9/3/14, 6:56 PM, Antonio Sanso wrote:
>>>>>>>>>
>>>>>>>>> On Sep 3, 2014, at 6:51 PM, Hans Zandbelt
>>>>>>>>> <hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>
>>>>>>>>> <mailto:hzandbelt@pingidentity.com>> wrote:
>>>>>>>>>
>>>>>>>>>> Let me try and approach this from a different angle: why would you
>>>>>>>>>> call it an open redirect when an invalid scope is provided and
>>>>>>>>>> call it
>>>>>>>>>> correct protocol behavior (hopefully) when a valid scope is
>>>>>>>>>> provided?
>>>>>>>>>
>>>>>>>>> as specified below in the positive case (namely when the correct
>>>>>>>>> scope
>>>>>>>>> is provided) the resource owner MUST approve the app via the consent
>>>>>>>>> screen (at least once).
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hans.
>>>>>>>>>>
>>>>>>>>>> On 9/3/14, 6:46 PM, Antonio Sanso wrote:
>>>>>>>>>>> hi John,
>>>>>>>>>>> On Sep 3, 2014, at 6:14 PM, John Bradley <ve7jtb@ve7jtb.com
>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com>
>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com>
>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> In the example the redirect_uri is vlid for the attacker.
>>>>>>>>>>>>
>>>>>>>>>>>> The issue is that the AS may be allowing client registrations with
>>>>>>>>>>>> arbitrary redirect_uri.
>>>>>>>>>>>>
>>>>>>>>>>>> In the spec it is unspecified how a AS validates that a client
>>>>>>>>>>>> controls the redirect_uri it is registering.
>>>>>>>>>>>>
>>>>>>>>>>>> I think that if anything it may be the registration step that
>>>>>>>>>>>> needs
>>>>>>>>>>>> the security consideration.
>>>>>>>>>>>
>>>>>>>>>>> (this is the first time :p) but I do disagree with you. It would be
>>>>>>>>>>> pretty unpractical to block this at registration time….
>>>>>>>>>>> IMHO the best approach is the one taken from Google, namely
>>>>>>>>>>> returning
>>>>>>>>>>> 400 with the cause of the error..
>>>>>>>>>>>
>>>>>>>>>>> *400.* That’s an error.
>>>>>>>>>>>
>>>>>>>>>>> *Error: invalid_scope*
>>>>>>>>>>>
>>>>>>>>>>> Some requested scopes were invalid. {invalid=[l]}
>>>>>>>>>>>
>>>>>>>>>>> said that I hope you all agree this is an issue in the spec so
>>>>>>>>>>> far….
>>>>>>>>>>>
>>>>>>>>>>> regards
>>>>>>>>>>>
>>>>>>>>>>> antonio
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> John B.
>>>>>>>>>>>>
>>>>>>>>>>>> On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com
>>>>>>>>>>>> <mailto:bburke@redhat.com>
>>>>>>>>>>>> <mailto:bburke@redhat.com>
>>>>>>>>>>>> <mailto:bburke@redhat.com>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> I don't understand.  The redirect uri has to be valid in
>>>>>>>>>>>>> order for a
>>>>>>>>>>>>> redirect to happen.  The spec explicitly states this.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 9/3/2014 11:43 AM, Antonio Sanso wrote:
>>>>>>>>>>>>>> hi *,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> IMHO providers that strictly follow rfc6749 are vulnerable
>>>>>>>>>>>>>> to open
>>>>>>>>>>>>>> redirect.
>>>>>>>>>>>>>> Let me explain, reading [0]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If the request fails due to a missing, invalid, or mismatching
>>>>>>>>>>>>>> redirection URI, or if the client identifier is missing or
>>>>>>>>>>>>>> invalid,
>>>>>>>>>>>>>> the authorization server SHOULD inform the resource owner of the
>>>>>>>>>>>>>> error and MUST NOT automatically redirect the user-agent to the
>>>>>>>>>>>>>> invalid redirection URI.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If the resource owner denies the access request or if the
>>>>>>>>>>>>>> request
>>>>>>>>>>>>>> fails for reasons other than a missing or invalid
>>>>>>>>>>>>>> redirection URI,
>>>>>>>>>>>>>> the authorization server informs the client by adding the
>>>>>>>>>>>>>> following
>>>>>>>>>>>>>> parameters to the query component of the redirection URI
>>>>>>>>>>>>>> using the
>>>>>>>>>>>>>> "application/x-www-form-urlencoded" format, perAppendix B
>>>>>>>>>>>>>> <https://tools.ietf.org/html/rfc6749#appendix-B>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Now let’s assume this.
>>>>>>>>>>>>>> I am registering a new client to thevictim.com
>>>>>>>>>>>>>> <http://thevictim.com/>
>>>>>>>>>>>>>> <http://victim.com/><http://victim.com <http://victim.com/>
>>>>>>>>>>>>>> <http://victim.com/>>
>>>>>>>>>>>>>> <http://victim.com <http://victim.com/> <http://victim.com/>>
>>>>>>>>>>>>>> provider.
>>>>>>>>>>>>>> I register redirect uriattacker.com <http://uriattacker.com/>
>>>>>>>>>>>>>> <http://attacker.com/><http://attacker.com
>>>>>>>>>>>>>> <http://attacker.com/> <http://attacker.com/>>
>>>>>>>>>>>>>> <http://attacker.com <http://attacker.com/>
>>>>>>>>>>>>>> <http://attacker.com/>>.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> According to [0] if I pass e.g. the wrong scope I am redirected
>>>>>>>>>>>>>> back to
>>>>>>>>>>>>>> attacker.com <http://attacker.com/>
>>>>>>>>>>>>>> <http://attacker.com/><http://attacker.com
>>>>>>>>>>>>>> <http://attacker.com/>
>>>>>>>>>>>>>> <http://attacker.com/>> <http://attacker.com
>>>>>>>>>>>>>> <http://attacker.com/> <http://attacker.com/>>.
>>>>>>>>>>>>>> Namely I prepare a url that is in this form:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> and this is works as an open redirector.
>>>>>>>>>>>>>> Of course in the positive case if all the parameters are
>>>>>>>>>>>>>> fine this
>>>>>>>>>>>>>> doesn’t apply since the resource owner MUST approve the app
>>>>>>>>>>>>>> via the
>>>>>>>>>>>>>> consent screen (at least once).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> A solution would be to return error 400 rather than redirect
>>>>>>>>>>>>>> to the
>>>>>>>>>>>>>> redirect URI (as some provider e.g. Google do)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> WDYT?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> regards
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> antonio
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org>
>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>>>>>> <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org>
>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org>
>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Hans Zandbelt              | Sr. Technical Architect
>>>>>>>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>
>>>>>>>>>> <mailto:hzandbelt@pingidentity.com>| Ping
>>>>>>>>>> Identity
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Hans Zandbelt              | Sr. Technical Architect
>>>>>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com> |
>>>>>>>> Ping Identity
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Hans Zandbelt              | Sr. Technical Architect
>>>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>| Ping
>>>>>> Identity
>>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> --
>> Hans Zandbelt              | Sr. Technical Architect
>> hzandbelt@pingidentity.com | Ping Identity
>

-- 
Hans Zandbelt              | Sr. Technical Architect
hzandbelt@pingidentity.com | Ping Identity

v2.23.0 | Report a Bug | By Email