IETF Logo Mail Archive

Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri

Marius Scurtescu <mscurtescu@google.com> Tue, 08 June 2010 18:04 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 294AF3A6827 for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 11:04:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.871
X-Spam-Level:
X-Spam-Status: No, score=-99.871 tagged_above=-999 required=5 tests=[AWL=0.247, BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMMKqN4E3QZA for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 11:04:40 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id D77C03A6893 for <oauth@ietf.org>; Tue, 8 Jun 2010 11:04:39 -0700 (PDT)
Received: from hpaq14.eem.corp.google.com (hpaq14.eem.corp.google.com [172.25.149.14]) by smtp-out.google.com with ESMTP id o58I4clK025914 for <oauth@ietf.org>; Tue, 8 Jun 2010 11:04:39 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1276020279; bh=vTLUIIdWPaU1Ib8gv5nh9TilFQA=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=K2AWyp1CGvS3slFh/XfBhGzxtmHYOxm0VSFHgLIc9aVr4pdyhVowMSRNkewdEOUgk Oe8lYPI6zmNdzRi55mEIA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding; b=noRCoA/Kwgrmy7v11NIrRLEFuZNbTozQxf9NTqoCfgidQhJNMQ7xfhwTt01St0Y+a xOgfq41mPapzXO/9viwuw==
Received: from pvg12 (pvg12.prod.google.com [10.241.210.140]) by hpaq14.eem.corp.google.com with ESMTP id o58I4IUx022238 for <oauth@ietf.org>; Tue, 8 Jun 2010 11:04:37 -0700
Received: by pvg12 with SMTP id 12so198970pvg.37 for <oauth@ietf.org>; Tue, 08 Jun 2010 11:04:36 -0700 (PDT)
Received: by 10.141.188.22 with SMTP id q22mr11626431rvp.238.1276020275612; Tue, 08 Jun 2010 11:04:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.124.13 with HTTP; Tue, 8 Jun 2010 11:04:15 -0700 (PDT)
In-Reply-To: <C833CEB4.6B81%cmortimore@salesforce.com>
References: <AANLkTingSGlJNZ5e_stPd1qU5I4gfbh3rQhqYUmqXvdB@mail.gmail.com> <C833CEB4.6B81%cmortimore@salesforce.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Tue, 08 Jun 2010 11:04:15 -0700
Message-ID: <AANLkTinVQEPBVzmiHEGgHhzaILL0nRSvZpjIlrVEJwTw@mail.gmail.com>
To: Chuck Mortimore <cmortimore@salesforce.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 18:04:41 -0000

On Tue, Jun 8, 2010 at 10:40 AM, Chuck Mortimore
<cmortimore@salesforce.com> wrote:
> Thanks – I get your line of reasoning now.   I believe it would still help
> in preventing certain types of attack.   These are especially apparent
> around immediate.

I do agree that requiring registration may be a good idea in many
cases, all I am saying is that this should not be enforced. Some authz
servers may want to allow unregistered clients, and that's fine. I
think the current SHOULD is good enough and changing it to MUST would
be going too far.


> 1) User initially grants access to example.com
> 2) User goes to an evil site
> 3) Without the user’s knowledge, the malicious site issues an immediate
> user_agent flow
>
> https://authzserver.com/authorize?type=user_agent&immediate=true&client_id=<Example.com’s
> Client ID>&redirect_uri=<Evil URL>
>
> 4) Evil site is handed an access token based upon the previous grant to
> example.com

I don't think this attack will work. If exmple.com was not registered,
then it has not client_id, so the previous approval should be
remembered for example.com's redirect_uri. Evil site needs to use its
own redirect_uri, so immediate will not work.


Marius

v2.23.0 | Report a Bug | By Email