Re: [OAUTH-WG] open redirect in rfc6749
Hans Zandbelt <hzandbelt@pingidentity.com> Wed, 03 September 2014 18:43 UTC
Return-Path: <hzandbelt@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36CE51A04F8 for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 11:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.746
X-Spam-Level:
X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bDkUuKBfj6Rb for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 11:43:10 -0700 (PDT)
Received: from na3sys009aog102.obsmtp.com (na3sys009aog102.obsmtp.com [74.125.149.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2557A1A0484 for <oauth@ietf.org>; Wed, 3 Sep 2014 11:43:10 -0700 (PDT)
Received: from mail-wg0-f47.google.com ([74.125.82.47]) (using TLSv1) by na3sys009aob102.postini.com ([74.125.148.12]) with SMTP ID DSNKVAdhLxG81OyFnbDuT3AbUEJ8gpDoAill@postini.com; Wed, 03 Sep 2014 11:43:10 PDT
Received: by mail-wg0-f47.google.com with SMTP id z12so8814327wgg.18 for <oauth@ietf.org>; Wed, 03 Sep 2014 11:42:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=7tovfFuIDwsgsMmy9TNAVIc52maQwTdbhGJTzlqxFZ4=; b=WuGI3X4/2D9RfMQwBEARcobqwJEPRMRHw3xc9WWgvLo+XXVuWyxVaT0hLv4OfDKrst e8MqL6hSPJPKQG8OVrckNoKNdmuYCheSvfv3EkKVPFTW0jKRasSCYovtKrTSgHuj88Cz NK+0+IKaBH6UuIRL3W3JnalRPOLGrm1HNavenYVIsE51M9ol1PKpl5eTVzXHJ3mxvTWq E+Y4jTpf1aHr12lJtazKs0luRW+/7q5hwYM6l6tYOgCyXkSbhCmMVMFuclsLW1pNnw9T Qc1io7PamqnfNlSP5Do+TbTlIJRix1LGBqs3XklQJDs4kyS6UB/G+P99WJUcCcRCpWBo N+Aw==
X-Gm-Message-State: ALoCoQn0fNZPRGyJx9hCDo9j5q9DIWgJjwdaXj1kU5CbdehMyDO8WpvbVuUjUf7k1xjRIamjaK48omy2pGNQosF6Wadf3TR8K55tOuU8niv03t05EOXRBAxIGDNS6ddJIExe23LUbUv/
X-Received: by 10.180.78.201 with SMTP id d9mr613380wix.12.1409769760810; Wed, 03 Sep 2014 11:42:40 -0700 (PDT)
X-Received: by 10.180.78.201 with SMTP id d9mr613358wix.12.1409769760611; Wed, 03 Sep 2014 11:42:40 -0700 (PDT)
Received: from [192.168.10.222] (5ED52E8A.cm-7-6a.dynamic.ziggo.nl. [94.213.46.138]) by mx.google.com with ESMTPSA id gk17sm5988721wic.16.2014.09.03.11.42.39 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 03 Sep 2014 11:42:39 -0700 (PDT)
Message-ID: <5407611D.6090405@pingidentity.com>
Date: Wed, 03 Sep 2014 20:42:37 +0200
From: Hans Zandbelt <hzandbelt@pingidentity.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>, Antonio Sanso <asanso@adobe.com>
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com> <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com> <58148F80-C2DD-45C5-8D6F-CED74A90AA75@adobe.com> <5407470B.2010904@pingidentity.com> <25055629-26A9-478D-AE7A-3C295E3166EE@adobe.com> <54074B7A.7080907@pingidentity.com> <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com> <387F387A-4743-488F-BBD0-8FB8232FA8E9@ve7jtb.com>
In-Reply-To: <387F387A-4743-488F-BBD0-8FB8232FA8E9@ve7jtb.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GLE3YfPTgmkvXKdLdJ4zSRuTkoo
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 18:43:12 -0000
fine, you're talking security considerations about untrusted clients; that's a different use case than the protocol flaw reason why Google would not do rfc6749 as written Hans. On 9/3/14, 7:52 PM, John Bradley wrote: > I agree that the error case where there is no UI is the problem, as it can be used inside a Iframe. > > However error responses are generally useful. > > OAuth core is silent on how redirect_uri are registered and if they are verified. > > Dynamic registration should warn about OAuth errors to redirect_uri from untrusted clients. > > For other registration methods we should update the RFC. > > John B. > > > > > Sent from my iPhone > >> On Sep 3, 2014, at 7:14 PM, Antonio Sanso <asanso@adobe.com> wrote: >> >> >>> On Sep 3, 2014, at 7:10 PM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote: >>> >>> Is your concern clients that were registered using dynamic client registration? >> >> yes >> >>> >>> Otherwise the positive case is returning a response to a valid URL that belongs to a client that was registered explicitly by the resource owner >> >> well AFAIK the resource owner doesn’t register clients… >> >> >>> and the negative case is returning an error to that same URL. >> >> the difference is the consent screen… in the positive case you need to approve an app.. for the error case no approval is needed,,, >> >>> >>> I fail to see the open redirect. >> >> why? >> >>> >>> Hans. >>> >>>> On 9/3/14, 6:56 PM, Antonio Sanso wrote: >>>> >>>> On Sep 3, 2014, at 6:51 PM, Hans Zandbelt <hzandbelt@pingidentity.com >>>> <mailto:hzandbelt@pingidentity.com>> wrote: >>>> >>>>> Let me try and approach this from a different angle: why would you >>>>> call it an open redirect when an invalid scope is provided and call it >>>>> correct protocol behavior (hopefully) when a valid scope is provided? >>>> >>>> as specified below in the positive case (namely when the correct scope >>>> is provided) the resource owner MUST approve the app via the consent >>>> screen (at least once). >>>> >>>> >>>>> >>>>> Hans. >>>>> >>>>>> On 9/3/14, 6:46 PM, Antonio Sanso wrote: >>>>>> hi John, >>>>>> On Sep 3, 2014, at 6:14 PM, John Bradley <ve7jtb@ve7jtb.com >>>>>> <mailto:ve7jtb@ve7jtb.com> >>>>>> <mailto:ve7jtb@ve7jtb.com>> wrote: >>>>>> >>>>>>> In the example the redirect_uri is vlid for the attacker. >>>>>>> >>>>>>> The issue is that the AS may be allowing client registrations with >>>>>>> arbitrary redirect_uri. >>>>>>> >>>>>>> In the spec it is unspecified how a AS validates that a client >>>>>>> controls the redirect_uri it is registering. >>>>>>> >>>>>>> I think that if anything it may be the registration step that needs >>>>>>> the security consideration. >>>>>> >>>>>> (this is the first time :p) but I do disagree with you. It would be >>>>>> pretty unpractical to block this at registration time…. >>>>>> IMHO the best approach is the one taken from Google, namely returning >>>>>> 400 with the cause of the error.. >>>>>> >>>>>> *400.* That’s an error. >>>>>> >>>>>> *Error: invalid_scope* >>>>>> >>>>>> Some requested scopes were invalid. {invalid=[l]} >>>>>> >>>>>> said that I hope you all agree this is an issue in the spec so far…. >>>>>> >>>>>> regards >>>>>> >>>>>> antonio >>>>>> >>>>>>> >>>>>>> John B. >>>>>>> >>>>>>> On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com >>>>>>> <mailto:bburke@redhat.com> >>>>>>> <mailto:bburke@redhat.com>> wrote: >>>>>>> >>>>>>>> I don't understand. The redirect uri has to be valid in order for a >>>>>>>> redirect to happen. The spec explicitly states this. >>>>>>>> >>>>>>>>> On 9/3/2014 11:43 AM, Antonio Sanso wrote: >>>>>>>>> hi *, >>>>>>>>> >>>>>>>>> IMHO providers that strictly follow rfc6749 are vulnerable to open >>>>>>>>> redirect. >>>>>>>>> Let me explain, reading [0] >>>>>>>>> >>>>>>>>> If the request fails due to a missing, invalid, or mismatching >>>>>>>>> redirection URI, or if the client identifier is missing or invalid, >>>>>>>>> the authorization server SHOULD inform the resource owner of the >>>>>>>>> error and MUST NOT automatically redirect the user-agent to the >>>>>>>>> invalid redirection URI. >>>>>>>>> >>>>>>>>> If the resource owner denies the access request or if the request >>>>>>>>> fails for reasons other than a missing or invalid redirection URI, >>>>>>>>> the authorization server informs the client by adding the following >>>>>>>>> parameters to the query component of the redirection URI using the >>>>>>>>> "application/x-www-form-urlencoded" format, perAppendix B >>>>>>>>> <https://tools.ietf.org/html/rfc6749#appendix-B>: >>>>>>>>> >>>>>>>>> Now let’s assume this. >>>>>>>>> I am registering a new client to thevictim.com >>>>>>>>> <http://victim.com/><http://victim.com <http://victim.com/>> >>>>>>>>> <http://victim.com <http://victim.com/>> >>>>>>>>> provider. >>>>>>>>> I register redirect uriattacker.com >>>>>>>>> <http://attacker.com/><http://attacker.com <http://attacker.com/>> >>>>>>>>> <http://attacker.com <http://attacker.com/>>. >>>>>>>>> >>>>>>>>> According to [0] if I pass e.g. the wrong scope I am redirected >>>>>>>>> back to >>>>>>>>> attacker.com <http://attacker.com/><http://attacker.com >>>>>>>>> <http://attacker.com/>> <http://attacker.com <http://attacker.com/>>. >>>>>>>>> Namely I prepare a url that is in this form: >>>>>>>>> >>>>>>>>> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com >>>>>>>>> >>>>>>>>> and this is works as an open redirector. >>>>>>>>> Of course in the positive case if all the parameters are fine this >>>>>>>>> doesn’t apply since the resource owner MUST approve the app via the >>>>>>>>> consent screen (at least once). >>>>>>>>> >>>>>>>>> A solution would be to return error 400 rather than redirect to the >>>>>>>>> redirect URI (as some provider e.g. Google do) >>>>>>>>> >>>>>>>>> WDYT? >>>>>>>>> >>>>>>>>> regards >>>>>>>>> >>>>>>>>> antonio >>>>>>>>> >>>>>>>>> [0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1 >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> OAuth mailing list >>>>>>>>> OAuth@ietf.org >>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>> >>>>>>>> -- >>>>>>>> Bill Burke >>>>>>>> JBoss, a division of Red Hat >>>>>>>> http://bill.burkecentral.com >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> OAuth mailing list >>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>> >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org> >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> -- >>>>> Hans Zandbelt | Sr. Technical Architect >>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>| Ping >>>>> Identity >>> >>> -- >>> Hans Zandbelt | Sr. Technical Architect >>> hzandbelt@pingidentity.com | Ping Identity >> -- Hans Zandbelt | Sr. Technical Architect hzandbelt@pingidentity.com | Ping Identity
- [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Takahiko Kawasaki
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Torsten Lodderstedt
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Sergey Beryozkin
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Sergey Beryozkin
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso