IETF Logo Mail Archive

Re: [OAUTH-WG] Redirection in authorization code flow: GET vs POST

Jim Manico <jim@manicode.com> Sat, 12 August 2017 14:55 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5C65132452 for <oauth@ietfa.amsl.com>; Sat, 12 Aug 2017 07:55:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2JuQJkeC-DP for <oauth@ietfa.amsl.com>; Sat, 12 Aug 2017 07:55:07 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF1FD13241F for <oauth@ietf.org>; Sat, 12 Aug 2017 07:55:07 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id x3so55019197oia.1 for <oauth@ietf.org>; Sat, 12 Aug 2017 07:55:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=jeVHouVWUeg0DKaX20iVAzEHXrK4Lqcb9eKceC4BYYk=; b=hxHK90Hu5XiykKP2vM/Ueyvc0NcVwOaMhk73CERXrhtg8BcXuhxWMxu+pm1+eCVhAY EWZ18X4wMG1JGsaCh3PxZtBlAiqRHN4D/JkHu2G9lem1MvHwj1heL1Oezr5quz3tBNWF BUGnruyjaof6Lib9FJbC8/uMHvb/eAdJm708Rn/QYin8BVt+Nl+Q/fj8NGKCMAXTa1bb ZePIv9WgjrHiQ3F8x3tAxpTKqAaAcJYV8C1L6Le2reg0rfFV02LkQaX108f6/EQh6QsW hoT+CbaWrEVi5RB0PtXt/Ti8oY5dfsbrJW0DFIyXQ41EjIdKUrsnVooZN++WfuFa/zDo eKIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=jeVHouVWUeg0DKaX20iVAzEHXrK4Lqcb9eKceC4BYYk=; b=n0ooiwvTejc8uIM/v1f0uxDmPEUQxJNbie8dc38Pj+S7MGAgCYvcCt6Q9Y5DsOHiQl 6Cr7ay/BZXJWgJSnULOLCfLvnYETdtrkKJr1uB7P6tOFyANdmSsCeuADdjO7YjxOBTFI WpXebdJs08v7yAliHgOABcy4UCxPeDmVeJ89CsB4wLNAXxD2qcSfEFsF/CMbQAsmvatE yea4yrdCaSN4z9BZ+9oUn8jQUmBxfqd+1T39k8jO/U3f31/eUXMJAdtt8R+BfRm2yUuj i8+hxzEwMRaZ7ZZ+EyZGXQ8wg/RKIXzaISwghCBCv40nv4wejsJ02qEDgiU971EatHpr /1oA==
X-Gm-Message-State: AHYfb5guWhkfxpB7fBzE0pFuKRGPa/Am1fAUNr92RbMkQYPfnJa/Oqw6 C39G84yiDtYl3ay32J5Okg==
X-Received: by 10.202.205.80 with SMTP id d77mr20827649oig.13.1502549706737; Sat, 12 Aug 2017 07:55:06 -0700 (PDT)
Received: from heembo.local ([12.197.53.130]) by smtp.googlemail.com with ESMTPSA id p127sm3816689oic.48.2017.08.12.07.55.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 12 Aug 2017 07:55:05 -0700 (PDT)
To: John Bradley <ve7jtb@ve7jtb.com>, Josh Mandel <jmandel@gmail.com>
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
References: <CANSMLKFFGitCa6f5bqR=Ks-kqf_t=3poFwCMWTtJ=MyvNKUL3A@mail.gmail.com> <CANSMLKGV6O7rJJPtPxP44598rz-RXt4rqt0kGrvtUKsN2DD_jw@mail.gmail.com> <C1EC66B5-5171-4393-ABA5-C3B36C5FB9F4@ve7jtb.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <41d07f67-bb16-1a82-95cb-00b898a5cba2@manicode.com>
Date: Sat, 12 Aug 2017 09:55:03 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <C1EC66B5-5171-4393-ABA5-C3B36C5FB9F4@ve7jtb.com>
Content-Type: multipart/alternative; boundary="------------DD191A6389D154D1AAED0C3F"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/a2U9NMVjxYZTi4SquWnG1XFVnto>
Subject: Re: [OAUTH-WG] Redirection in authorization code flow: GET vs POST
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Aug 2017 14:55:10 -0000

> The _*safest*_ thing for a client is to accept both. 

I politely (and strongly) disagree with this statement. The safest thing
for a client is to only accept POST or other verbs where any kind of
sensitive data is NOT kept in the URL. Sensitive data in URL's leak like
a sieve, even over HTTPS.

Respectfully,
Jim



On 8/11/17 3:18 PM, John Bradley wrote:
> OpenID Connect formally defined a POST response mode.
>
> http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
>
> The OAuth 2 spec docent preclude it.  
>
> The safest thing for a client is to accept both.  
> The main advantages of POST is that it docent leak in the referrer,
> and can handle larger responses without the browser choking in some cases.
>
> Size is more of an issue in Connect where a id_token may be returned
> in the front channel and POST allows for the larger response without
> the client needing to have JS extract the fragment.
>
> That is why Connect defined it and OAuth largely assumes that for code
> get is OK.
> For security GET responses should add headers to prevent referrer from
> leaking the code.
>
> We are adding advice on that to the Security document that is being
> updated now.
>
> John B.
>
>
>> On Aug 11, 2017, at 4:08 PM, Josh Mandel <jmandel@gmail.com
>> <mailto:jmandel@gmail.com>> wrote:
>>
>> Fixing my "with this technique" url: it should have been
>> https://gist.github.com/jmandel/4704d1efed8578a67a6f9b600ffd0c63 .
>>
>> On Fri, Aug 11, 2017 at 4:00 PM, Josh Mandel <jmandel@gmail.com
>> <mailto:jmandel@gmail.com>> wrote:
>>
>>     Hi All,
>>
>>     I've just encountered a server that performs a redirect (back to
>>     the client's redirect_uri) via POST instead of GET. This was
>>     surprising behavior to me and broke my client implementation —
>>     but citing chapter and verse, the server developer pointed out
>>     that https://tools.ietf.org/html/rfc6749#section-1.7
>>     <https://tools.ietf.org/html/rfc6749#section-1.7> says 
>>
>>         While the examples in this specification show the use of the
>>         HTTP 302 status code, any other method available via the
>>         user-agent to accomplish this redirection is allowed and is
>>         considered to be an implementation detail.
>>
>>
>>     Is triggering a POST-based redirect (e.g. with this technique
>>     <https://gist.github.com/jmandel/4704d1efed8578a67a6f9b600ffd0c63%29>)
>>     to the redirect_url (including url query parameters for state and
>>     code) indeed considered a "method available via the user-agent to
>>     accomplish this redirection"? In other words, should a
>>     well-behaved OAuth client be prepared to receive GETs as well as
>>     POSTs to its redirect_uri? If so, what would be the
>>     considerations for a server choosing between GET and POST?
>>
>>     Best,
>>
>>       Josh
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Jim Manico
Manicode Security
https://www.manicode.com

v2.23.0 | Report a Bug | By Email