Re: [OAUTH-WG] redirect uri and portals
Yannick Majoros <yannick@valuya.be> Tue, 07 March 2023 14:57 UTC
Return-Path: <yannick@valuya.be>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43102C14CF1D for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2023 06:57:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.824
X-Spam-Level:
X-Spam-Status: No, score=-1.824 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=valuya.be
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iwPku3L2P4hC for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2023 06:57:47 -0800 (PST)
Received: from mail-vs1-xe31.google.com (mail-vs1-xe31.google.com [IPv6:2607:f8b0:4864:20::e31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A14DC1516E0 for <oauth@ietf.org>; Tue, 7 Mar 2023 06:57:46 -0800 (PST)
Received: by mail-vs1-xe31.google.com with SMTP id o6so12523563vsq.10 for <oauth@ietf.org>; Tue, 07 Mar 2023 06:57:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valuya.be; s=google; t=1678201064; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bua7S4hZLG8iKBNIvUk7ZV9kOa+dxZrjpYERYA6muE8=; b=3uxxEROBG7EDLkJXQlcSkDBe5H0AwVH+4IWO4eEaf61wuAp5mAWomzrlkV8pCccnT1 YnpeljG93wpRmxVXGTb6pF4faKhMsbI9pfHWNP6pjnhlLieaWCInUgcjpc37WqxdYdwS lR1xc11VgNSg2jr8y5szHBPrpev4BwjGf8uPw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678201064; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bua7S4hZLG8iKBNIvUk7ZV9kOa+dxZrjpYERYA6muE8=; b=KJdaYzsFE+OHbEA1vjH3MbBXFcrVzekqv7gI8L7nPRdRTNt+1vj/S9GfLwu87/p9tn mEW0Bk+21wMftLyvQ9y1eYySaSTp2xZJMRz/K++kxcPUHL76hVZ1JKsneUQNFIXupRsQ 73f5T7W9+arwCqkFWT4MLw1mP/7WeeD9YI3fP03Qb7+2mgJYDjewrcU1PaeTXkgMxFkn KYk4kKU735E15Tq+NUKIuyLcDQKHAQEIeL6Q55dbcJqYK+OgKRwWlNk/R/BfUjc4lX89 GC7cQEOADZom2w8DbPxch9jgEY9UbthPbbR27yOixqStP3aIHXW+GFxqu5AgOGct0lTM 8enA==
X-Gm-Message-State: AO0yUKWyk/+DdePOLuIHz8Qt8gqv+lXtm7bIzIgsXqqQZE6baRqXDR1n 2BbGuPyrifZvNbMkPRxcfpHIJTO7V6YsglSd8KHi5w==
X-Google-Smtp-Source: AK7set+39OhyiINpEv9x8kCZgDLNcz6RHrQ7JtGgzrGmV2xIfT1EhfxYizzs1883NeBXhDT1bDICXMBLznQn5UA/vYg=
X-Received: by 2002:a05:6102:80b:b0:421:7f84:f3d9 with SMTP id g11-20020a056102080b00b004217f84f3d9mr9426406vsb.3.1678201064659; Tue, 07 Mar 2023 06:57:44 -0800 (PST)
MIME-Version: 1.0
References: <CALNQ_jKjTQt+6YaJBXTPJNv-LkvpPxdeJ7w_1jBinBfa6H5M7Q@mail.gmail.com> <CAEFJvapugLJ_b0wNjQrC=1i+WnhZdAjdyECVE4hUuMBBRrWYbw@mail.gmail.com> <CALNQ_jJL17KMTJeam2z72wTyFkA8JaMGtgjftyqgNH3jqgRf-Q@mail.gmail.com> <CAGBSGjosL7pK8_EKYUDg4FbQRdi9m2NiA6meAhDHRsWtODFK0g@mail.gmail.com> <CALNQ_j+sc8gWEk-Z+v2dFoVY5MuzvaYL7b7Mz0Y93tioDZGepA@mail.gmail.com> <CADom2f1Z22cHrkdsh2o9yRDY-6_qMhDT-YL7Mh40yVocbsJffg@mail.gmail.com> <CALNQ_jKYmETH=1hZU_A__-KdyiT3-6e3f+2fvtBEiVsTRx2MYw@mail.gmail.com> <29858dbc-1436-a4e2-8f79-79d4b257d8f4@hackmanit.de> <CALNQ_j+Cxk1-wh6pRzLpO1V6kZh66k0V47Na0AaSFcEV-Oa+8w@mail.gmail.com> <240b81c2-23dd-865e-1fd5-c02e1a51b137@gmx.net>
In-Reply-To: <240b81c2-23dd-865e-1fd5-c02e1a51b137@gmx.net>
From: Yannick Majoros <yannick@valuya.be>
Date: Tue, 07 Mar 2023 15:57:33 +0100
Message-ID: <CALNQ_j+sO_si6_DCgGWpRU3NTeZa49QvfEDT6QMHZqd288VG3A@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000522f2405f650a2cb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZQYDzXNmLmvWq16NrCrYMljh9hc>
Subject: Re: [OAUTH-WG] redirect uri and portals
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2023 14:57:51 -0000
I'm still missing the point: - any key used to sign or encrypt the state... is state itself - if we can store that key (or anything, like an url to go back to after login), why bother passing the state around? Le mar. 7 mars 2023 à 15:07, Hannes Tschofenig <hannes.tschofenig@gmx.net> a écrit : > Hi Yannick, > > > Am 07.03.2023 um 14:25 schrieb Yannick Majoros: > > One possible solution: Store the redirect information in a signed JWT and > place the JWT in the state parameter. I don't think this is written > somewhere in the security BCP but I think this is a solutions used in the > wild by multiple clients. > > > Section 4.7.1 of the security BCP lists this solution as one possible > countermeasure: > > - > > If state is used for carrying application state, and integrity of its > contents is a concern, clients MUST protect state against tampering > and swapping. This can be achieved by binding the contents of state to the > browser session and/or signed/encrypted state values as discussed in the > now-expired draft [I-D.bradley-oauth-jwt-encoded-state > <https://www.ietf.org/archive/id/draft-bradley-oauth-jwt-encoded-state-09.txt> > ].¶ > <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.7.1-3.2.1> > > > The referenced draft has, however, expired: > https://www.ietf.org/archive/id/draft-bradley-oauth-jwt-encoded-state-09.txt > > > Ciao > > Hannes > > > > > -- Yannick Majoros Valuya sprl
- [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Vittorio Bertocci
- Re: [OAUTH-WG] redirect uri and portals Aaron Parecki
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Aaron Parecki
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Rodrigo Speller
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Jaimandeep Singh
- Re: [OAUTH-WG] redirect uri and portals Neil Madden
- Re: [OAUTH-WG] redirect uri and portals Hans Zandbelt
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Hannes Tschofenig
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Jaimandeep Singh