IETF Logo Mail Archive

[OAUTH-WG] OAuth v2-18 comment on "state" parameter

Bob Van Zant <bob@veznat.com> Fri, 15 July 2011 15:35 UTC

Return-Path: <bigbadbob0@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DF0D21F888A for <oauth@ietfa.amsl.com>; Fri, 15 Jul 2011 08:35:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.695
X-Spam-Level:
X-Spam-Status: No, score=-2.695 tagged_above=-999 required=5 tests=[AWL=0.282, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BUlSkqrcEV+r for <oauth@ietfa.amsl.com>; Fri, 15 Jul 2011 08:35:11 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 6AC3321F8880 for <oauth@ietf.org>; Fri, 15 Jul 2011 08:35:11 -0700 (PDT)
Received: by qwc23 with SMTP id 23so927619qwc.31 for <oauth@ietf.org>; Fri, 15 Jul 2011 08:35:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=X7ENWHelsqVBHuHGjbL8HoNv2B1FntS0QRn5g4/Q3ao=; b=rtkPW99Oq8rhku9hhHON4JGI+GCnR55ccZK7t+vKg2I5LZHxzmJi7Yw6MulOdp0FYj fhDAXkjES9RfEfQXze36SyPqjI2tIuHiCPXzvyRGaH7NdTIASyeZZBNF0Yur/XtnJlfD fHsqHdpfbyPCxlWcFuvhbcyQWBmiSFrhcDs0w=
MIME-Version: 1.0
Received: by 10.229.30.138 with SMTP id u10mr426344qcc.3.1310744110593; Fri, 15 Jul 2011 08:35:10 -0700 (PDT)
Sender: bigbadbob0@gmail.com
Received: by 10.229.100.136 with HTTP; Fri, 15 Jul 2011 08:35:10 -0700 (PDT)
Date: Fri, 15 Jul 2011 08:35:10 -0700
X-Google-Sender-Auth: FPa8CPMwrGo5jQaMaS5iCEwOevA
Message-ID: <CADrOfLJSd8Z=QfCcGUdFBU314rmjv9-u25Vta+ObXfNAwoA06w@mail.gmail.com>
From: Bob Van Zant <bob@veznat.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] OAuth v2-18 comment on "state" parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2011 15:35:12 -0000

Hi everyone,
I'm in the process of implementing OAuth and I'm a little concerned
about the "state" parameter that a client can send as part of the
authorization request. The spec says that the value is opaque and that
I need to accept, store, and reply with exactly what the client sent
me. Can we impose some restrictions on the type of data a client can
send?

The reason is that I don't necessarily trust the clients of my API to
properly deal with sanitizing data. If someone steals a client_id (not
hard) and puts something malicious into the state field I'll happily
redirect the resource owner to my client's site with malicious data in
state. If the client does not properly handle this malicious data
(there's an established track record here) then I've opened my
customer (the resource owner) to an attack.

Did I miss something in the spec where it limits what this variable
can be? If not I'd like to propose that we limit this field to a set
of characters that are safe. [a-zA-Z0-9_-]{0,100}

The authorization server would validate that the state field contains
only those characters and if not SHOULD show the resource owner an
error (consistent with section 4.1.2.1, paragraph 1 and others).

Thank you for all of your hard work on this spec to date and thanks
for your consideration of my comments.

-Bob

v2.35.0 | Report a Bug | By Email | System Status