Re: [OAUTH-WG] open redirect in rfc6749

Antonio Sanso <asanso@adobe.com> Wed, 03 September 2014 17:54 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9739C1A0416 for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 10:54:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PrzBmXkMYwVT for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 10:54:06 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (dns-bn1lp0143.outbound.protection.outlook.com [207.46.163.143]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA6031A0369 for <oauth@ietf.org>; Wed, 3 Sep 2014 10:54:05 -0700 (PDT)
Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB205.namprd02.prod.outlook.com (10.242.165.139) with Microsoft SMTP Server (TLS) id 15.0.1015.17; Wed, 3 Sep 2014 17:54:03 +0000
Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.122]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.8]) with mapi id 15.00.1015.018; Wed, 3 Sep 2014 17:54:02 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Hans Zandbelt <hzandbelt@pingidentity.com>
Thread-Topic: [OAUTH-WG] open redirect in rfc6749
Thread-Index: AQHPx43Iqm72AKs/tk+aoXIbGajW5JvvlAWAgAABL4CAAAjogIAAAV6AgAABUQCAAAP4AIAAARkAgAAHYQCAAAO5AA==
Date: Wed, 03 Sep 2014 17:54:02 +0000
Message-ID: <848F15BD-894D-48C6-B901-B5565BDE4C08@adobe.com>
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com> <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com> <58148F80-C2DD-45C5-8D6F-CED74A90AA75@adobe.com> <5407470B.2010904@pingidentity.com> <25055629-26A9-478D-AE7A-3C295E3166EE@adobe.com> <54074B7A.7080907@pingidentity.com> <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com> <54075296.9090007@pingidentity.com>
In-Reply-To: <54075296.9090007@pingidentity.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [178.83.47.250]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 032334F434
x-forefront-antispam-report: SFV:NSPM; SFS:(199003)(24454002)(189002)(51444003)(479174003)(377454003)(46102001)(107046002)(106116001)(19580395003)(83716003)(15202345003)(90102001)(74502001)(77982001)(105586002)(36756003)(79102001)(2656002)(21056001)(4396001)(93886004)(83322001)(587094003)(16601075003)(85852003)(15395725005)(19580405001)(87936001)(76482001)(101416001)(64706001)(16236675004)(80022001)(50986999)(82746002)(99286002)(76176999)(20776003)(81342001)(19617315012)(92566001)(92726001)(86362001)(81542001)(33656002)(31966008)(106356001)(83072002)(77096002)(15975445006)(74662001)(85306004)(54356999)(99396002)(95666004)(110136001)(66066001)(104396001); DIR:OUT; SFP:; SCL:1; SRVR:CO1PR02MB205; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: multipart/alternative; boundary="_000_848F15BD894D48C6B901B5565BDE4C08adobecom_"
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/iGll1TT_QE5nP7uSzC9jCLouVgw
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 17:54:09 -0000

Well,
I do not know if this is only dynamic registration...
let’s talk about real use cases, namely e.g. Google , Facebook , etc.. is that dynamic client registration? I do not know… :)

Said that what the other guys think?  :)
Would this deserve some “spec adjustment” ? I mean there is a reason if Google is by choice “violating” the spec right? (I assume to avoid open redirect…)
But other implementers do follow the spec hence they have this open redirector… and this is not nice IMHO...


On Sep 3, 2014, at 7:40 PM, Hans Zandbelt <hzandbelt@pingidentity.com<mailto:hzandbelt@pingidentity.com>> wrote:

On 9/3/14, 7:14 PM, Antonio Sanso wrote:

On Sep 3, 2014, at 7:10 PM, Hans Zandbelt <hzandbelt@pingidentity.com<mailto:hzandbelt@pingidentity.com>> wrote:

Is your concern clients that were registered using dynamic client registration?

yes

I think your issue is then with the trust model of dynamic client registration; that is left out of scope of the dynreg spec (and the concept is not even part of the core spec), but unless you want everything to be open (which typically would not be the case), then it would involve approval somewhere in the process before the client is registered. Without dynamic client registration that approval is admin based or resource owner based, depending on use case.

Otherwise the positive case is returning a response to a valid URL that belongs to a client that was registered explicitly by the resource owner

well AFAIK the resource owner doesn’t register clients…

roles can collapse in use cases especially when using dynamic client registration

and the negative case is returning an error to that same URL.

the difference is the consent screen… in the positive case you need to approve an app.. for the error case no approval is needed,,,


I fail to see the open redirect.

why?

because the client and thus the fixed URL are explicitly approved at some point

Hans.



Hans.

On 9/3/14, 6:56 PM, Antonio Sanso wrote:

On Sep 3, 2014, at 6:51 PM, Hans Zandbelt <hzandbelt@pingidentity.com<mailto:hzandbelt@pingidentity.com>
<mailto:hzandbelt@pingidentity.com>> wrote:

Let me try and approach this from a different angle: why would you
call it an open redirect when an invalid scope is provided and call it
correct protocol behavior (hopefully) when a valid scope is provided?

as specified below in the positive case (namely when the correct scope
is provided) the resource owner MUST approve the app via the consent
screen (at least once).



Hans.

On 9/3/14, 6:46 PM, Antonio Sanso wrote:
hi John,
On Sep 3, 2014, at 6:14 PM, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>
<mailto:ve7jtb@ve7jtb.com>
<mailto:ve7jtb@ve7jtb.com>> wrote:

In the example the redirect_uri is vlid for the attacker.

The issue is that the AS may be allowing client registrations with
arbitrary redirect_uri.

In the spec it is unspecified how a AS validates that a client
controls the redirect_uri it is registering.

I think that if anything it may be the registration step that needs
the security consideration.

(this is the first time :p) but I do disagree with you. It would be
pretty unpractical to block this at registration time….
IMHO the best approach is the one taken from Google, namely returning
400 with the cause of the error..

*400.* That’s an error.

*Error: invalid_scope*

Some requested scopes were invalid. {invalid=[l]}

said that I hope you all agree this is an issue in the spec so far….

regards

antonio


John B.

On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com>> wrote:

I don't understand.  The redirect uri has to be valid in order for a
redirect to happen.  The spec explicitly states this.

On 9/3/2014 11:43 AM, Antonio Sanso wrote:
hi *,

IMHO providers that strictly follow rfc6749 are vulnerable to open
redirect.
Let me explain, reading [0]

If the request fails due to a missing, invalid, or mismatching
redirection URI, or if the client identifier is missing or invalid,
the authorization server SHOULD inform the resource owner of the
error and MUST NOT automatically redirect the user-agent to the
invalid redirection URI.

If the resource owner denies the access request or if the request
fails for reasons other than a missing or invalid redirection URI,
the authorization server informs the client by adding the following
parameters to the query component of the redirection URI using the
"application/x-www-form-urlencoded" format, perAppendix B
<https://tools.ietf.org/html/rfc6749#appendix-B>:

Now let’s assume this.
I am registering a new client to thevictim.com<http://thevictim.com>
<http://victim.com/><http://victim.com <http://victim.com/>>
<http://victim.com <http://victim.com/>>
provider.
I register redirect uriattacker.com<http://uriattacker.com>
<http://attacker.com/><http://attacker.com <http://attacker.com/>>
<http://attacker.com <http://attacker.com/>>.

According to [0] if I pass e.g. the wrong scope I am redirected
back to
attacker.com<http://attacker.com> <http://attacker.com/><http://attacker.com
<http://attacker.com/>> <http://attacker.com <http://attacker.com/>>.
Namely I prepare a url that is in this form:

http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com

and this is works as an open redirector.
Of course in the positive case if all the parameters are fine this
doesn’t apply since the resource owner MUST approve the app via the
consent screen (at least once).

A solution would be to return error 400 rather than redirect to the
redirect URI (as some provider e.g. Google do)

WDYT?

regards

antonio

[0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


--
Hans Zandbelt              | Sr. Technical Architect
hzandbelt@pingidentity.com<mailto:hzandbelt@pingidentity.com> <mailto:hzandbelt@pingidentity.com>| Ping
Identity


--
Hans Zandbelt              | Sr. Technical Architect
hzandbelt@pingidentity.com<mailto:hzandbelt@pingidentity.com> | Ping Identity


--
Hans Zandbelt              | Sr. Technical Architect
hzandbelt@pingidentity.com<mailto:hzandbelt@pingidentity.com> | Ping Identity