IETF Logo Mail Archive

Re: [OAUTH-WG] open redirect in rfc6749

Hans Zandbelt <hzandbelt@pingidentity.com> Wed, 03 September 2014 18:43 UTC

Return-Path: <hzandbelt@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36CE51A04F8 for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 11:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.746
X-Spam-Level:
X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bDkUuKBfj6Rb for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 11:43:10 -0700 (PDT)
Received: from na3sys009aog102.obsmtp.com (na3sys009aog102.obsmtp.com [74.125.149.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2557A1A0484 for <oauth@ietf.org>; Wed, 3 Sep 2014 11:43:10 -0700 (PDT)
Received: from mail-wg0-f47.google.com ([74.125.82.47]) (using TLSv1) by na3sys009aob102.postini.com ([74.125.148.12]) with SMTP ID DSNKVAdhLxG81OyFnbDuT3AbUEJ8gpDoAill@postini.com; Wed, 03 Sep 2014 11:43:10 PDT
Received: by mail-wg0-f47.google.com with SMTP id z12so8814327wgg.18 for <oauth@ietf.org>; Wed, 03 Sep 2014 11:42:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=7tovfFuIDwsgsMmy9TNAVIc52maQwTdbhGJTzlqxFZ4=; b=WuGI3X4/2D9RfMQwBEARcobqwJEPRMRHw3xc9WWgvLo+XXVuWyxVaT0hLv4OfDKrst e8MqL6hSPJPKQG8OVrckNoKNdmuYCheSvfv3EkKVPFTW0jKRasSCYovtKrTSgHuj88Cz NK+0+IKaBH6UuIRL3W3JnalRPOLGrm1HNavenYVIsE51M9ol1PKpl5eTVzXHJ3mxvTWq E+Y4jTpf1aHr12lJtazKs0luRW+/7q5hwYM6l6tYOgCyXkSbhCmMVMFuclsLW1pNnw9T Qc1io7PamqnfNlSP5Do+TbTlIJRix1LGBqs3XklQJDs4kyS6UB/G+P99WJUcCcRCpWBo N+Aw==
X-Gm-Message-State: ALoCoQn0fNZPRGyJx9hCDo9j5q9DIWgJjwdaXj1kU5CbdehMyDO8WpvbVuUjUf7k1xjRIamjaK48omy2pGNQosF6Wadf3TR8K55tOuU8niv03t05EOXRBAxIGDNS6ddJIExe23LUbUv/
X-Received: by 10.180.78.201 with SMTP id d9mr613380wix.12.1409769760810; Wed, 03 Sep 2014 11:42:40 -0700 (PDT)
X-Received: by 10.180.78.201 with SMTP id d9mr613358wix.12.1409769760611; Wed, 03 Sep 2014 11:42:40 -0700 (PDT)
Received: from [192.168.10.222] (5ED52E8A.cm-7-6a.dynamic.ziggo.nl. [94.213.46.138]) by mx.google.com with ESMTPSA id gk17sm5988721wic.16.2014.09.03.11.42.39 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 03 Sep 2014 11:42:39 -0700 (PDT)
Message-ID: <5407611D.6090405@pingidentity.com>
Date: Wed, 03 Sep 2014 20:42:37 +0200
From: Hans Zandbelt <hzandbelt@pingidentity.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>, Antonio Sanso <asanso@adobe.com>
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com> <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com> <58148F80-C2DD-45C5-8D6F-CED74A90AA75@adobe.com> <5407470B.2010904@pingidentity.com> <25055629-26A9-478D-AE7A-3C295E3166EE@adobe.com> <54074B7A.7080907@pingidentity.com> <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com> <387F387A-4743-488F-BBD0-8FB8232FA8E9@ve7jtb.com>
In-Reply-To: <387F387A-4743-488F-BBD0-8FB8232FA8E9@ve7jtb.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GLE3YfPTgmkvXKdLdJ4zSRuTkoo
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 18:43:12 -0000

fine, you're talking security considerations about untrusted clients; 
that's a different use case than the protocol flaw reason why Google 
would not do rfc6749 as written

Hans.

On 9/3/14, 7:52 PM, John Bradley wrote:
> I agree that the error case where there is no UI is the problem, as it can be used inside a Iframe.
>
> However error responses are generally useful.
>
> OAuth core is silent on how redirect_uri are registered and if they are verified.
>
> Dynamic registration should warn about OAuth errors to redirect_uri from untrusted clients.
>
> For other registration methods we should update the RFC.
>
> John B.
>
>
>
>
> Sent from my iPhone
>
>> On Sep 3, 2014, at 7:14 PM, Antonio Sanso <asanso@adobe.com> wrote:
>>
>>
>>> On Sep 3, 2014, at 7:10 PM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote:
>>>
>>> Is your concern clients that were registered using dynamic client registration?
>>
>> yes
>>
>>>
>>> Otherwise the positive case is returning a response to a valid URL that belongs to a client that was registered explicitly by the resource owner
>>
>> well AFAIK the resource owner doesn’t register clients…
>>
>>
>>> and the negative case is returning an error to that same URL.
>>
>> the difference is the consent screen… in the positive case you need to approve an app.. for the error case no approval is needed,,,
>>
>>>
>>> I fail to see the open redirect.
>>
>> why?
>>
>>>
>>> Hans.
>>>
>>>> On 9/3/14, 6:56 PM, Antonio Sanso wrote:
>>>>
>>>> On Sep 3, 2014, at 6:51 PM, Hans Zandbelt <hzandbelt@pingidentity.com
>>>> <mailto:hzandbelt@pingidentity.com>> wrote:
>>>>
>>>>> Let me try and approach this from a different angle: why would you
>>>>> call it an open redirect when an invalid scope is provided and call it
>>>>> correct protocol behavior (hopefully) when a valid scope is provided?
>>>>
>>>> as specified below in the positive case (namely when the correct scope
>>>> is provided) the resource owner MUST approve the app via the consent
>>>> screen (at least once).
>>>>
>>>>
>>>>>
>>>>> Hans.
>>>>>
>>>>>> On 9/3/14, 6:46 PM, Antonio Sanso wrote:
>>>>>> hi John,
>>>>>> On Sep 3, 2014, at 6:14 PM, John Bradley <ve7jtb@ve7jtb.com
>>>>>> <mailto:ve7jtb@ve7jtb.com>
>>>>>> <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>>>>
>>>>>>> In the example the redirect_uri is vlid for the attacker.
>>>>>>>
>>>>>>> The issue is that the AS may be allowing client registrations with
>>>>>>> arbitrary redirect_uri.
>>>>>>>
>>>>>>> In the spec it is unspecified how a AS validates that a client
>>>>>>> controls the redirect_uri it is registering.
>>>>>>>
>>>>>>> I think that if anything it may be the registration step that needs
>>>>>>> the security consideration.
>>>>>>
>>>>>> (this is the first time :p) but I do disagree with you. It would be
>>>>>> pretty unpractical to block this at registration time….
>>>>>> IMHO the best approach is the one taken from Google, namely returning
>>>>>> 400 with the cause of the error..
>>>>>>
>>>>>> *400.* That’s an error.
>>>>>>
>>>>>> *Error: invalid_scope*
>>>>>>
>>>>>> Some requested scopes were invalid. {invalid=[l]}
>>>>>>
>>>>>> said that I hope you all agree this is an issue in the spec so far….
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> antonio
>>>>>>
>>>>>>>
>>>>>>> John B.
>>>>>>>
>>>>>>> On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com
>>>>>>> <mailto:bburke@redhat.com>
>>>>>>> <mailto:bburke@redhat.com>> wrote:
>>>>>>>
>>>>>>>> I don't understand.  The redirect uri has to be valid in order for a
>>>>>>>> redirect to happen.  The spec explicitly states this.
>>>>>>>>
>>>>>>>>> On 9/3/2014 11:43 AM, Antonio Sanso wrote:
>>>>>>>>> hi *,
>>>>>>>>>
>>>>>>>>> IMHO providers that strictly follow rfc6749 are vulnerable to open
>>>>>>>>> redirect.
>>>>>>>>> Let me explain, reading [0]
>>>>>>>>>
>>>>>>>>> If the request fails due to a missing, invalid, or mismatching
>>>>>>>>> redirection URI, or if the client identifier is missing or invalid,
>>>>>>>>> the authorization server SHOULD inform the resource owner of the
>>>>>>>>> error and MUST NOT automatically redirect the user-agent to the
>>>>>>>>> invalid redirection URI.
>>>>>>>>>
>>>>>>>>> If the resource owner denies the access request or if the request
>>>>>>>>> fails for reasons other than a missing or invalid redirection URI,
>>>>>>>>> the authorization server informs the client by adding the following
>>>>>>>>> parameters to the query component of the redirection URI using the
>>>>>>>>> "application/x-www-form-urlencoded" format, perAppendix B
>>>>>>>>> <https://tools.ietf.org/html/rfc6749#appendix-B>:
>>>>>>>>>
>>>>>>>>> Now let’s assume this.
>>>>>>>>> I am registering a new client to thevictim.com
>>>>>>>>> <http://victim.com/><http://victim.com <http://victim.com/>>
>>>>>>>>> <http://victim.com <http://victim.com/>>
>>>>>>>>> provider.
>>>>>>>>> I register redirect uriattacker.com
>>>>>>>>> <http://attacker.com/><http://attacker.com <http://attacker.com/>>
>>>>>>>>> <http://attacker.com <http://attacker.com/>>.
>>>>>>>>>
>>>>>>>>> According to [0] if I pass e.g. the wrong scope I am redirected
>>>>>>>>> back to
>>>>>>>>> attacker.com <http://attacker.com/><http://attacker.com
>>>>>>>>> <http://attacker.com/>> <http://attacker.com <http://attacker.com/>>.
>>>>>>>>> Namely I prepare a url that is in this form:
>>>>>>>>>
>>>>>>>>> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com
>>>>>>>>>
>>>>>>>>> and this is works as an open redirector.
>>>>>>>>> Of course in the positive case if all the parameters are fine this
>>>>>>>>> doesn’t apply since the resource owner MUST approve the app via the
>>>>>>>>> consent screen (at least once).
>>>>>>>>>
>>>>>>>>> A solution would be to return error 400 rather than redirect to the
>>>>>>>>> redirect URI (as some provider e.g. Google do)
>>>>>>>>>
>>>>>>>>> WDYT?
>>>>>>>>>
>>>>>>>>> regards
>>>>>>>>>
>>>>>>>>> antonio
>>>>>>>>>
>>>>>>>>> [0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>
>>>>>>>> --
>>>>>>>> Bill Burke
>>>>>>>> JBoss, a division of Red Hat
>>>>>>>> http://bill.burkecentral.com
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org>
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>> --
>>>>> Hans Zandbelt              | Sr. Technical Architect
>>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>| Ping
>>>>> Identity
>>>
>>> --
>>> Hans Zandbelt              | Sr. Technical Architect
>>> hzandbelt@pingidentity.com | Ping Identity
>>

-- 
Hans Zandbelt              | Sr. Technical Architect
hzandbelt@pingidentity.com | Ping Identity

v2.23.0 | Report a Bug | By Email