Re: [OAUTH-WG] redirect uri and portals
Aaron Parecki <aaron@parecki.com> Mon, 06 March 2023 19:29 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DC2AC151B0F for <oauth@ietfa.amsl.com>; Mon, 6 Mar 2023 11:29:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUrNlE6ZpiPX for <oauth@ietfa.amsl.com>; Mon, 6 Mar 2023 11:29:51 -0800 (PST)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 221E6C151AE2 for <oauth@ietf.org>; Mon, 6 Mar 2023 11:29:50 -0800 (PST)
Received: by mail-vs1-xe35.google.com with SMTP id by13so10213042vsb.3 for <oauth@ietf.org>; Mon, 06 Mar 2023 11:29:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1678130989; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2pBuYYDQI/NeLXMjh1AmbK2BRAXLPRKFRXZZUThhrEk=; b=b7VjxkeLgtwPOo8sJEMyn4COvihqjuU1l/PF4MWvIq1TOLGoHcpX3qxwOcxCSXu+oi 9CtqFI2yXjoVnCrD3nN9crvfRv9Fq8vIq/P0IlJyEf1yj7DlC3UQ3JX2wy+u8zft1Xzu pEJPN1gsJwSt4CTNIo2FfyTlsQD+QNHSCk5yBlWFL3U9+khiWMPGS/l8bA5wStLAFKYX zUxVRPmym6XngctSZF9fWU1QhXjY1UnFqo0c1OM5ihISMTQgEht8nZLUa9voWYRSXlos XwiubbHk3GdpHM+lzy7sF3Sf+DtmpjWEjyC19szfimSe/HBb1KpBJf61JuiJTngRSbVA JTvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678130989; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2pBuYYDQI/NeLXMjh1AmbK2BRAXLPRKFRXZZUThhrEk=; b=N5EP9COAOuiKhyYe/qGCwlzW7BwLPpbSaaGS1ktgCAoexOZpM6c5rXzI1w1/MMCfnX e8diliuDwVEEd2OYYPZg+PSa12gr0dRy30ygDsI9hKsSkU4H3lTSJHw7SskfTmD0XTPB sdCKVoI8/NVszeI5wkXo+8dumDzKOVWg/XfvPJ7507nMvCwSE/HTE53PHRL6pMUwQ6e+ bfKcZ5vCp5dmz6liJwmTEPpp+y534LVPhH3y6TyPvQ+FfUmTy6FrRdkrG3U058As/URJ eC4bKRMdjag8gEw9agC4lLeS1ZqZUGrK6ZX64QErqS01iEQdOCOS5ovHb1a7B9r5ad1C nEzQ==
X-Gm-Message-State: AO0yUKWye1xfnCc1uINaC1y+V3uqlnP8KO5VM7fRivsj4ued9+ekLDrZ ZPXxYELtV/hEIHrz5ry639isfy/k9y3Sifnprv4=
X-Google-Smtp-Source: AK7set+JlI+BPTOg2+0K/hw7jbGQau9VfBNrV7FEREE+lrVbi2gFR+LnZYgvw4TFF+HPycsoVZrJtQ==
X-Received: by 2002:a05:6102:3ec7:b0:3f1:15db:ad81 with SMTP id n7-20020a0561023ec700b003f115dbad81mr7029858vsv.32.1678130988964; Mon, 06 Mar 2023 11:29:48 -0800 (PST)
Received: from mail-vs1-f44.google.com (mail-vs1-f44.google.com. [209.85.217.44]) by smtp.gmail.com with ESMTPSA id v25-20020ab05599000000b00652d81de1absm1227640uaa.29.2023.03.06.11.29.48 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 06 Mar 2023 11:29:48 -0800 (PST)
Received: by mail-vs1-f44.google.com with SMTP id o32so10184223vsv.12 for <oauth@ietf.org>; Mon, 06 Mar 2023 11:29:48 -0800 (PST)
X-Received: by 2002:a67:b04d:0:b0:421:947e:4470 with SMTP id q13-20020a67b04d000000b00421947e4470mr8065969vsh.2.1678130987840; Mon, 06 Mar 2023 11:29:47 -0800 (PST)
MIME-Version: 1.0
References: <CALNQ_jKjTQt+6YaJBXTPJNv-LkvpPxdeJ7w_1jBinBfa6H5M7Q@mail.gmail.com> <CAEFJvapugLJ_b0wNjQrC=1i+WnhZdAjdyECVE4hUuMBBRrWYbw@mail.gmail.com>
In-Reply-To: <CAEFJvapugLJ_b0wNjQrC=1i+WnhZdAjdyECVE4hUuMBBRrWYbw@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 06 Mar 2023 11:29:36 -0800
X-Gmail-Original-Message-ID: <CAGBSGjok5BQhS+N3oQtvB2LpRsgPBVHFC8HJ2sBJD5-RmrbfSw@mail.gmail.com>
Message-ID: <CAGBSGjok5BQhS+N3oQtvB2LpRsgPBVHFC8HJ2sBJD5-RmrbfSw@mail.gmail.com>
To: Vittorio Bertocci <vittorio=40auth0.com@dmarc.ietf.org>
Cc: Yannick Majoros <yannick@valuya.be>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006aba1f05f64051c8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZMKqdQhVvxyl8fBz-tFCOQvVYoM>
Subject: Re: [OAUTH-WG] redirect uri and portals
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2023 19:29:55 -0000
I have also seen what you describe in 2, as well as a variation of that, which is to encode the redirect in the "state" parameter, as described (briefly) in RFC6749 https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2.2 Note that using "state" to carry this redirect should only be done with a fixed list of destinations or by using a signed "state" value like encapsulating it in a JWT in order to avoid creating an open redirector: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.10.1 There is even a claim described in the (expired) JWT-encoded state draft to specify this redirect target: https://datatracker.ietf.org/doc/html/draft-bradley-oauth-jwt-encoded-state-09#section-2 Aaron On Mon, Mar 6, 2023 at 9:28 AM Vittorio Bertocci <vittorio= 40auth0.com@dmarc.ietf.org> wrote: > In my experience the most common solution, adopted by many SDKs, is based > on 2. > Where you redirect after you concluded the token acquisition ceremony is a > private consideration for your app, that shouldn’t interfere with how the > client is registered. Oauth offers you the chance to store and retrieve > state, you can use that to save the initial requested URL and redirect to > it after the fact. If you are concerned with injections, you can always > sign/encryp the state to protect it from tampering. > All of the above is mainstream, you can observe the traffic from popular > SDKs to see how that works. > HTH > V. > > On Mon, Mar 6, 2023 at 09:12 Yannick Majoros <yannick@valuya.be> wrote: > >> *This message originated outside your organization.* >> >> ------------------------------ >> >> Hello, >> >> From my understanding, OAuth 2 as well as 2.1 do not allow for wildcards >> in redirect_uri . Now, a common requirement for a portal or company-wide >> website, where multiple applications are deployed, is to be able to login >> and come back to the page from which the login was triggered. >> >> How can this be achieved securely with OAuth? >> >> Some options: >> 1) passing a parameter, say *callback_uri*, around from auth request >> back to redirect from auth server. >> 2) storing some state, e.g. in session storage, and redirect after login >> 3) violating the specifications and just use a redirect uri with a >> wildcard in the last part (some implementations, like keycloak, allow that) >> >> 1) and 2) are kind of similar IMO: the application has to validate >> whatever context comes and redirect to the right page, akin to deep linking >> But then, outside of some extra validation, I'd prefer to have a standard >> mechanism (less bypassing the restrictions) as redirect uri than to >> reinvent the wheel for each application, which is what that kind of >> callback url does. Also, I'm not sure why that extra validation would >> improve things in practice: if there is a vulnerability in the application >> routing code leading to some vulnerable redirect, wouldn't it just be >> duplicated in that validation step? >> >> So, I'm tempted to go for 3, knowing we would have those mitigations: >> - checking at authorization server whether the redirect is to the same >> uri the request originally came from >> - PKCE will restrict reuse of the authorization code anyway >> >> What are your thoughts on how to implement that quite common feature? >> >> Best regards, >> -- >> Yannick Majoros >> Valuya sprl >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Vittorio Bertocci
- Re: [OAUTH-WG] redirect uri and portals Aaron Parecki
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Aaron Parecki
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Rodrigo Speller
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Jaimandeep Singh
- Re: [OAUTH-WG] redirect uri and portals Neil Madden
- Re: [OAUTH-WG] redirect uri and portals Hans Zandbelt
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Hannes Tschofenig
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Jaimandeep Singh