IETF Logo Mail Archive

[OAUTH-WG] Redirection URI

Anthony Nadalin <tonynad@microsoft.com> Thu, 11 August 2011 16:46 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38E2921F8C83 for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 09:46:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.466
X-Spam-Level:
X-Spam-Status: No, score=-7.466 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HuF2I2T8h41f for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 09:46:41 -0700 (PDT)
Received: from smtp.microsoft.com (mailc.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 26DAB21F8C82 for <oauth@ietf.org>; Thu, 11 Aug 2011 09:46:41 -0700 (PDT)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (157.54.80.61) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 11 Aug 2011 09:47:16 -0700
Received: from TX2EHSOBE008.bigfish.com (157.54.51.113) by mail.microsoft.com (157.54.80.61) with Microsoft SMTP Server (TLS) id 14.1.323.7; Thu, 11 Aug 2011 09:47:15 -0700
Received: from mail90-tx2-R.bigfish.com (10.9.14.247) by TX2EHSOBE008.bigfish.com (10.9.40.28) with Microsoft SMTP Server id 14.1.225.22; Thu, 11 Aug 2011 16:47:14 +0000
Received: from mail90-tx2 (localhost.localdomain [127.0.0.1]) by mail90-tx2-R.bigfish.com (Postfix) with ESMTP id 947E01708620 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 11 Aug 2011 16:47:14 +0000 (UTC)
X-SpamScore: 3
X-BigFish: PS3(zzc85fhzz1202h1082kzz8275bh8275dhz31h2a8h668h839h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:207.46.4.139; KIP:(null); UIP:(null); IPV:SKI; H:SN2PRD0302HT002.namprd03.prod.outlook.com; R:internal; EFV:INT
Received-SPF: softfail (mail90-tx2: transitioning domain of microsoft.com does not designate 207.46.4.139 as permitted sender) client-ip=207.46.4.139; envelope-from=tonynad@microsoft.com; helo=SN2PRD0302HT002.namprd03.prod.outlook.com ; .outlook.com ;
Received: from mail90-tx2 (localhost.localdomain [127.0.0.1]) by mail90-tx2 (MessageSwitch) id 1313081197648535_12947; Thu, 11 Aug 2011 16:46:37 +0000 (UTC)
Received: from TX2EHSMHS022.bigfish.com (unknown [10.9.14.244]) by mail90-tx2.bigfish.com (Postfix) with ESMTP id EE251BF81A0 for <oauth@ietf.org>; Thu, 11 Aug 2011 16:44:58 +0000 (UTC)
Received: from SN2PRD0302HT002.namprd03.prod.outlook.com (207.46.4.139) by TX2EHSMHS022.bigfish.com (10.9.99.122) with Microsoft SMTP Server (TLS) id 14.1.225.22; Thu, 11 Aug 2011 16:44:55 +0000
Received: from SN2PRD0302MB137.namprd03.prod.outlook.com ([169.254.5.250]) by SN2PRD0302HT002.namprd03.prod.outlook.com ([10.27.50.85]) with mapi id 14.01.0225.064; Thu, 11 Aug 2011 16:44:54 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Thread-Topic: Redirection URI
Thread-Index: AcxYRb1XP0xSYd9DQVa6zRpFQxTVKA==
Date: Thu, 11 Aug 2011 16:44:54 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E723B89A96@SN2PRD0302MB137.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.0.76]
Content-Type: multipart/alternative; boundary="_000_B26C1EF377CB694EAB6BDDC8E624B6E723B89A96SN2PRD0302MB137_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: SN2PRD0302HT002.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-OriginatorOrg: microsoft.com
X-CrossPremisesHeadersPromoted: TK5EX14HUBC106.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC106.redmond.corp.microsoft.com
Subject: [OAUTH-WG] Redirection URI
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2011 16:46:42 -0000

Section 3.1.2 explicitly states that the redirection endpoint URI MUST be an absolute URI. But that means that the URI could be potentially of any scheme. This is probably intentional since there are scenarios where a native client will want to register a custom scheme as the call back URI.

                But how can that ever be considered secure? Any app could potentially register a scheme with itself as the handler in the OS. Are we really in a position to state that ALL OS environments in ALL cases will only allow for the registration of new URI schemes in a completely secure way? I can't help but wonder if that isn't going too far and endangering users? Shouldn't we require that the redirect URI MUST always be a HTTPS URI and that native clients will need to have access to a browser? If we don't then how can we really be sure that a custom scheme is associated with the application we think it's associated with?

                If we are going to allow for custom schemes then fun issues come up. Let's say that an authorization server receives a request from an implicit client with a redirection URI value of foo:privatescheme:bar. Let's further say that the authorization server has an implicit client registered with it whose URI is foo:privatescheme:%62%61%72. What should the authorization server do?

                Should it:
                                A) Reject the request because the submitted redirection URI doesn't match exactly with the registered URI?
                                B) Accept the request because, if one applies URL decoding, it is identical to the registered URI but send back the response with the registered value (e.g. with :bar at the end)?
                                C) Same as B except send back the response with the same value as specified in redirect uri parameter in the request?

                Any of the above is legal according to the new or proposed language. But that clearly can't be right. After all, the host OS which allowed the client to register the "foo" scheme may not see foo:privatescheme:bar and foo:privatescheme:%62%61%72 as the same. So if a legitimate app was using the %62%61%72 value then B would cause an error since the response would be wrong and C would be right. But if the value is part of an attack then B would be right and C would be wrong. Since there is no way for the authorization server to know ahead of time what OS might be in use and what behavior it might have  I think we have to define that the correct behavior as "A".

               The agreement on how to compare redirection URIs is NOT a private agreement between the client and authorization server. It's a public agreement. The whole point of OAuth is to allow any client and any authorization server to interoperate. But as I show above if the client's assumptions about how the redirect URI is processed and the server's assumptions aren't the same then security breaks. Therefore the standard MUST define what the expected behavior is.

                So we have to answer a couple of questions:

                                Question #1 - How should the server compare a submitted redirection URI to one it has registered if the server doesn't recognize the URI scheme?
                                Question #2 - OAuth in section 3.1.2 explicitly states that the redirection URI can contain a query component. Does that override the registered value? In other words if the registered value was foo:privatescheme:bar and the received value is foo:privatescheme:bar?foo=blah, do the two match?
                                Question #3 - If a recognized URL scheme is used then what rules apply? And how can we be sure that both the client and the authorization server are using the same rules? Because, if they aren't, then, well, Dave Thaler's paper nicely outlines the consequences. This is especially the case if the redirection URI is pointing to a multi-tenant server where getting the URI 'wrong' means sending the response to the wrong place.

                Propose that the only way to handle all of these rather nasty issues is by mandating that section 6.2.1 of RFC 3986 MUST be used by the authorization server when determining if a submitted redirection URI matches a registered value. This explicitly precludes the use of 'prefix' matching and it explicitly precludes having extra query parameters. If the client needs to encode state information than it can use the dedicated state variable. This is the simplest possible approach and therefore the one least likely to be screwed up by authorization servers and therefore least likely to introduce security holes. Please note that this proposal requires changes in multiple places in the spec, including but possibly not limited to sections 3.1.2, 3.1.2.2 and 3.1.2.3.

v2.23.0 | Report a Bug | By Email