IETF Logo Mail Archive

Re: [OAUTH-WG] open redirect in rfc6749

Antonio Sanso <asanso@adobe.com> Wed, 03 September 2014 17:15 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C27AD1A0397 for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 10:15:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EIXpJrP1Qc9o for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 10:15:15 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0204.outbound.protection.outlook.com [207.46.163.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E53871A03AB for <oauth@ietf.org>; Wed, 3 Sep 2014 10:14:27 -0700 (PDT)
Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB208.namprd02.prod.outlook.com (10.242.165.150) with Microsoft SMTP Server (TLS) id 15.0.1015.19; Wed, 3 Sep 2014 17:14:19 +0000
Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.122]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.8]) with mapi id 15.00.1015.018; Wed, 3 Sep 2014 17:14:18 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Hans Zandbelt <hzandbelt@pingidentity.com>
Thread-Topic: [OAUTH-WG] open redirect in rfc6749
Thread-Index: AQHPx43Iqm72AKs/tk+aoXIbGajW5JvvlAWAgAABL4CAAAjogIAAAV6AgAABUQCAAAP4AIAAARkA
Date: Wed, 03 Sep 2014 17:14:18 +0000
Message-ID: <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com>
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com> <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com> <58148F80-C2DD-45C5-8D6F-CED74A90AA75@adobe.com> <5407470B.2010904@pingidentity.com> <25055629-26A9-478D-AE7A-3C295E3166EE@adobe.com> <54074B7A.7080907@pingidentity.com>
In-Reply-To: <54074B7A.7080907@pingidentity.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [178.83.47.250]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 032334F434
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(24454002)(51444003)(51704005)(189002)(479174003)(377454003)(199003)(46102001)(101416001)(74662001)(87936001)(99286002)(81342001)(90102001)(93886004)(110136001)(76482001)(19580405001)(74502001)(105586002)(106356001)(92566001)(106116001)(54356999)(86362001)(64706001)(107046002)(20776003)(95666004)(81542001)(16601075003)(85306004)(50986999)(2656002)(83716003)(99396002)(82746002)(4396001)(15202345003)(92726001)(19580395003)(15975445006)(77096002)(76176999)(85852003)(15395725005)(21056001)(80022001)(83072002)(83322001)(31966008)(33656002)(79102001)(77982001)(66066001)(587094003)(36756003)(104396001); DIR:OUT; SFP:; SCL:1; SRVR:CO1PR02MB208; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <E632AB1A75CC4A4489DF81DAB3A954EE@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/MFdjkT8GjIy4im6OgzURqOgw2JM
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 17:15:42 -0000

On Sep 3, 2014, at 7:10 PM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote:

> Is your concern clients that were registered using dynamic client registration?

yes

> 
> Otherwise the positive case is returning a response to a valid URL that belongs to a client that was registered explicitly by the resource owner

well AFAIK the resource owner doesn’t register clients…


> and the negative case is returning an error to that same URL.

the difference is the consent screen… in the positive case you need to approve an app.. for the error case no approval is needed,,,

> 
> I fail to see the open redirect.

why?

> 
> Hans.
> 
> On 9/3/14, 6:56 PM, Antonio Sanso wrote:
>> 
>> On Sep 3, 2014, at 6:51 PM, Hans Zandbelt <hzandbelt@pingidentity.com
>> <mailto:hzandbelt@pingidentity.com>> wrote:
>> 
>>> Let me try and approach this from a different angle: why would you
>>> call it an open redirect when an invalid scope is provided and call it
>>> correct protocol behavior (hopefully) when a valid scope is provided?
>> 
>> as specified below in the positive case (namely when the correct scope
>> is provided) the resource owner MUST approve the app via the consent
>> screen (at least once).
>> 
>> 
>>> 
>>> Hans.
>>> 
>>> On 9/3/14, 6:46 PM, Antonio Sanso wrote:
>>>> hi John,
>>>> On Sep 3, 2014, at 6:14 PM, John Bradley <ve7jtb@ve7jtb.com
>>>> <mailto:ve7jtb@ve7jtb.com>
>>>> <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>> 
>>>>> In the example the redirect_uri is vlid for the attacker.
>>>>> 
>>>>> The issue is that the AS may be allowing client registrations with
>>>>> arbitrary redirect_uri.
>>>>> 
>>>>> In the spec it is unspecified how a AS validates that a client
>>>>> controls the redirect_uri it is registering.
>>>>> 
>>>>> I think that if anything it may be the registration step that needs
>>>>> the security consideration.
>>>> 
>>>> (this is the first time :p) but I do disagree with you. It would be
>>>> pretty unpractical to block this at registration time….
>>>> IMHO the best approach is the one taken from Google, namely returning
>>>> 400 with the cause of the error..
>>>> 
>>>> *400.* That’s an error.
>>>> 
>>>> *Error: invalid_scope*
>>>> 
>>>> Some requested scopes were invalid. {invalid=[l]}
>>>> 
>>>> said that I hope you all agree this is an issue in the spec so far….
>>>> 
>>>> regards
>>>> 
>>>> antonio
>>>> 
>>>>> 
>>>>> John B.
>>>>> 
>>>>> On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com
>>>>> <mailto:bburke@redhat.com>
>>>>> <mailto:bburke@redhat.com>> wrote:
>>>>> 
>>>>>> I don't understand.  The redirect uri has to be valid in order for a
>>>>>> redirect to happen.  The spec explicitly states this.
>>>>>> 
>>>>>> On 9/3/2014 11:43 AM, Antonio Sanso wrote:
>>>>>>> hi *,
>>>>>>> 
>>>>>>> IMHO providers that strictly follow rfc6749 are vulnerable to open
>>>>>>> redirect.
>>>>>>> Let me explain, reading [0]
>>>>>>> 
>>>>>>> If the request fails due to a missing, invalid, or mismatching
>>>>>>> redirection URI, or if the client identifier is missing or invalid,
>>>>>>> the authorization server SHOULD inform the resource owner of the
>>>>>>> error and MUST NOT automatically redirect the user-agent to the
>>>>>>> invalid redirection URI.
>>>>>>> 
>>>>>>> If the resource owner denies the access request or if the request
>>>>>>> fails for reasons other than a missing or invalid redirection URI,
>>>>>>> the authorization server informs the client by adding the following
>>>>>>> parameters to the query component of the redirection URI using the
>>>>>>> "application/x-www-form-urlencoded" format, perAppendix B
>>>>>>> <https://tools.ietf.org/html/rfc6749#appendix-B>:
>>>>>>> 
>>>>>>> Now let’s assume this.
>>>>>>> I am registering a new client to thevictim.com
>>>>>>> <http://victim.com/><http://victim.com <http://victim.com/>>
>>>>>>> <http://victim.com <http://victim.com/>>
>>>>>>> provider.
>>>>>>> I register redirect uriattacker.com
>>>>>>> <http://attacker.com/><http://attacker.com <http://attacker.com/>>
>>>>>>> <http://attacker.com <http://attacker.com/>>.
>>>>>>> 
>>>>>>> According to [0] if I pass e.g. the wrong scope I am redirected
>>>>>>> back to
>>>>>>> attacker.com <http://attacker.com/><http://attacker.com
>>>>>>> <http://attacker.com/>> <http://attacker.com <http://attacker.com/>>.
>>>>>>> Namely I prepare a url that is in this form:
>>>>>>> 
>>>>>>> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com
>>>>>>> 
>>>>>>> and this is works as an open redirector.
>>>>>>> Of course in the positive case if all the parameters are fine this
>>>>>>> doesn’t apply since the resource owner MUST approve the app via the
>>>>>>> consent screen (at least once).
>>>>>>> 
>>>>>>> A solution would be to return error 400 rather than redirect to the
>>>>>>> redirect URI (as some provider e.g. Google do)
>>>>>>> 
>>>>>>> WDYT?
>>>>>>> 
>>>>>>> regards
>>>>>>> 
>>>>>>> antonio
>>>>>>> 
>>>>>>> [0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>> 
>>> --
>>> Hans Zandbelt              | Sr. Technical Architect
>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>| Ping
>>> Identity
>> 
> 
> -- 
> Hans Zandbelt              | Sr. Technical Architect
> hzandbelt@pingidentity.com | Ping Identity

v2.23.0 | Report a Bug | By Email