IETF Logo Mail Archive

Re: [OAUTH-WG] open redirect in rfc6749

Antonio Sanso <asanso@adobe.com> Tue, 16 September 2014 09:01 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2E5D1A0455 for <oauth@ietfa.amsl.com>; Tue, 16 Sep 2014 02:01:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.554
X-Spam-Level:
X-Spam-Status: No, score=0.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AcraLrY7nVv1 for <oauth@ietfa.amsl.com>; Tue, 16 Sep 2014 02:01:55 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0694.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::694]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF90B1A02D9 for <oauth@ietf.org>; Tue, 16 Sep 2014 02:01:47 -0700 (PDT)
Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB205.namprd02.prod.outlook.com (10.242.165.139) with Microsoft SMTP Server (TLS) id 15.0.1024.12; Tue, 16 Sep 2014 09:01:24 +0000
Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.15]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.112]) with mapi id 15.00.1024.012; Tue, 16 Sep 2014 09:01:23 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] open redirect in rfc6749
Thread-Index: AQHPx43Iqm72AKs/tk+aoXIbGajW5JvvlAWAgAABL4CAAAjogIAAAV6AgAABUQCAAAP4AIAAARkAgAAHYQCAAAO5AIAAwV0AgAAbbICAAAwBgIAAAPwAgABUVwCAAAJ4AIAAA+OAgBGs+4CAAAiDgIAABXsAgAAL1wCAAAKvgIAABE6AgAABJgCAAAKlAIAAw5sA
Date: Tue, 16 Sep 2014 09:01:23 +0000
Message-ID: <3F605B05-F123-43AA-88CF-ACFC596E3D63@adobe.com>
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com> <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com> <58148F80-C2DD-45C5-8D6F-CED74A90AA75@adobe.com> <5407470B.2010904@pingidentity.com> <25055629-26A9-478D-AE7A-3C295E3166EE@adobe.com> <54074B7A.7080907@pingidentity.com> <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com> <54075296.9090007@pingidentity.com> <848F15BD-894D-48C6-B901-B5565BDE4C08@adobe.com> <05C25C09-598C-4D7F-A07A-C93DEC17D10B@adobe.com> <255386B5-79A1-4CD7-90E6-F3F6E23F51F8@mitre.org> <540818FD.1010202@pingidentity.com> <809F7DAB-021D-4770-9D7B-E996D0D32D45@adobe.com> <54086090.8080703@redhat.com> <342B1A81-7333-43D5-A8BC-5CBB31F7D354@adobe.com> <540865E5.5010808@pingidentity.com> <D7284EF3-C99C-43E7-9F17-B5599539B20E@adobe.com> <8B89E66C-B82B-41CB-819C-3E1C9B65A7BA@oracle.com> <5E650C1B-A3EC-49E0-9EC0-362B4957ECC1@ve7jtb.com> <C753429D-931C-419A-B226-7453C93CCCFD@oracle.com> <100DA4A7-0E88-4BAC-AD2A-EF29A9C6A950@adobe.com! > <9CE06872-7B8C-4272-8D48-DCC02881CEA3@oracle.com> <10793893-1B2B-4317-8B09-C055145865F1@adobe.com> <A40888DF-5283-4064-87EE-9D80C857B90A@oracle.com>
In-Reply-To: <A40888DF-5283-4064-87EE-9D80C857B90A@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.147.117.11]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 03361FCC43
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(52604005)(189002)(199003)(24454002)(479174003)(51444003)(377454003)(83716003)(101416001)(66066001)(92726001)(54356999)(82746002)(87936001)(99396002)(587094003)(15975445006)(77982003)(74662003)(80022003)(81542003)(79102003)(106116001)(81342003)(46102003)(74502003)(90102001)(50986999)(19617315012)(19580405001)(76176999)(16236675004)(2656002)(106356001)(83322001)(99286002)(21056001)(97736003)(105586002)(15395725005)(110136001)(31966008)(33656002)(20776003)(16601075003)(19580395003)(83072002)(85852003)(77096002)(4396001)(76482001)(92566001)(95666004)(64706001)(85306004)(93886004)(36756003)(15202345003)(86362001)(107046002)(104396001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR02MB205; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: multipart/alternative; boundary="_000_3F605B05F12343AA88CFACFC596E3D63adobecom_"
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/k96TSVHeUdYHsEpFBN0x1oh9lJw
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2014 09:02:00 -0000

hi Phil.
On Sep 15, 2014, at 11:21 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:

So, let’s say you have a client that has “obtained” a client Id from a legit registered client.  How does the malicious client exploit the previously registered URL if the server only redirects to that URL?

These are the steps:

- the malicious client can registers a malicious url (attacker.com<http://attacker.com>)
- the malicious client builds a malicious request to the AS (victim.com<http://victim.com>) that looks like http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com

as per https://tools.ietf.org/html/rfc6749#section-4.1.2.1 the user is redirected to http://attacker.com (since the wrong parameter is the scope )

regards

antonio


Are you referring to the case Nat Sakimura previously raised where mobile app stores do not enforce custom URL registrations?

Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com



On Sep 15, 2014, at 2:11 PM, Antonio Sanso <asanso@adobe.com> wrote:


On Sep 15, 2014, at 11:08 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

I’m not sure I understand why this is an OAuth protocol problem?

If you are starting with a false client with a false registration, everything down stream is likely invalid.

registration is not false. But the client can be a malicious one….



This seems like a registration curation (whitelisting) problem.

there is not way a whitelist can cover all the malicious uris..

regards

antonio


This is a bit like saying, how can I prove that the application on this jail-broken phone is legitimate?

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com



On Sep 15, 2014, at 1:52 PM, Antonio Sanso <asanso@adobe.com> wrote:

The problem is that a malicious client can register a malicious redirect uri and https://tools.ietf.org/html/rfc6749#section-4.1.2.1 does the rest (as previously discussed)

regards

antonio

On Sep 15, 2014, at 10:43 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

If a server accepts a URL from a client to be used as a redirect that the server doesn’t recognize or is not registered, that is an open redirect.

The specification does no allow open-redirects, it considers this a mis-configuration.

Take a look at sections 3.1.2.2 and 10.15 of RFC6749.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com



On Sep 15, 2014, at 1:00 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

There may be a problem with semantics in this discussion.

There is a redirect performed by athe authorization endpoint to a fixed uri that is pre registered with the authorization server without user prompting.

That probably doesn't fit the strict definition of a open redirector.

It may however create similar security issues in situations with relatively open registration of clients.

The largest issues are that the browser might leak information across the redirect in the fragment or referrer.  That has been used in attacks against Facebook in the past.

This is no where near the end of the world,  however we need to look at the security considerations and see if we can provide better advice to implementors.  In some cases returning a error to the browser may be best.

I don't think we need to go so far as not returning any error to the client under any circumstance.

John B.

Sent from my iPhone

On Sep 15, 2014, at 4:41 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

Simply not true.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com



On Sep 15, 2014, at 12:10 PM, Antonio Sanso <asanso@adobe.com> wrote:

hi *,

my understanding is that there is a rough consensus that if an OAuth Provider follows rfc6749 verbatim will end up having an open redirector.
My next question would be now, is there anything we can do to raise some awareness about this issue?

regards

antonio

On Sep 4, 2014, at 3:15 PM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote:

I am convinced about the issue in the use case Antonio provided but I hope not to close the door on returning errors to known and trusted clients. Not sure anymore if that's possible though because the distinction can't be "registered"...

Hans.

On 9/4/14, 3:01 PM, Antonio Sanso wrote:
hi Bill
On Sep 4, 2014, at 2:52 PM, Bill Burke <bburke@redhat.com> wrote:

FWIW, Antonio convinced me and I'm going to change this in our IDM project.  Thanks Antonio.  What convinced me was that the user is probably expecting a login screen.  Since there is this expectation, it might make it a little easier for the attacker to convince the user that a spoofed login screen is real.  I know this issue can only happen with unrestricted registration, but, IMO, this proposed change doesn't really have much of an effect on usability and is even backward compatible with the current RFC.

Wouldn't it better though to never do a redirect on an invalid request and just display an error page?

thanks for sharing your thoughts :). Display an error 400 is what Google does :)

regards

antonio


On 9/4/2014 3:50 AM, Antonio Sanso wrote:
Hi Hans,

I really fail to see how this can be addressed at registration time for cases where registration is unrestricted (namely all the big Providers)

regards

antonio

On Sep 4, 2014, at 9:47 AM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote:

Classifying like this must also mean that consent should not be stored until the client is considered (admin) trusted, and admin policy would interfere with user policy.

IMHO the security consideration would apply only to dynamically registered clients where registration is unrestricted; any other form would involve some form of admin/user approval at registration time, overcoming the concern at authorization time: there's no auto-redirect flow possible for unknown clients.

Hans.

On 9/4/14, 9:04 AM, Richer, Justin P. wrote:
I think this advice isn't a bad idea, though it's of course up to the AS
what an "untrusted" client really is. In practice, this is something
that was registered by a non-sysadmin type person, either a dynamically
registered client or something available through self-service
registration of some type. It's also reasonable that a client, even
dynamically registered, would be considered "trusted" if enough time has
passed and enough users have used it without things blowing up.

-- Justin

On Sep 4, 2014, at 1:26 AM, Antonio Sanso <asanso@adobe.com
<mailto:asanso@adobe.com>> wrote:

hi again *,

after thinking a bit further IMHO an alternative for the untrusted
clients can also be to always present the consent screen (at least
once) before any redirect.
Namely all providers I have seen show the consent screen if all the
request parameters are correct and if the user accepts the redirect
happens.
If one of the parameter  (with the exclusion of the client id and
redirect uri that are handled differently as for spec) is wrong though
the redirect happens without the consent screen being shown..

WDYT?

regards

antonio

On Sep 3, 2014, at 7:54 PM, Antonio Sanso <asanso@adobe.com
<mailto:asanso@adobe.com>> wrote:

Well,
I do not know if this is only dynamic registration...
let’s talk about real use cases, namely e.g. Google , Facebook ,
etc.. is that dynamic client registration? I do not know… :)

Said that what the other guys think?  :)
Would this deserve some “spec adjustment” ? I mean there is a reason
if Google is by choice “violating” the spec right? (I assume to avoid
open redirect…)
But other implementers do follow the spec hence they have this open
redirector… and this is not nice IMHO...


On Sep 3, 2014, at 7:40 PM, Hans Zandbelt <hzandbelt@pingidentity.com
<mailto:hzandbelt@pingidentity.com>> wrote:

On 9/3/14, 7:14 PM, Antonio Sanso wrote:

On Sep 3, 2014, at 7:10 PM, Hans Zandbelt
<hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>> wrote:

Is your concern clients that were registered using dynamic client
registration?

yes

I think your issue is then with the trust model of dynamic client
registration; that is left out of scope of the dynreg spec (and the
concept is not even part of the core spec), but unless you want
everything to be open (which typically would not be the case), then
it would involve approval somewhere in the process before the client
is registered. Without dynamic client registration that approval is
admin based or resource owner based, depending on use case.

Otherwise the positive case is returning a response to a valid URL
that belongs to a client that was registered explicitly by the
resource owner

well AFAIK the resource owner doesn’t register clients…

roles can collapse in use cases especially when using dynamic client
registration

and the negative case is returning an error to that same URL.

the difference is the consent screen… in the positive case you need
to approve an app.. for the error case no approval is needed,,,


I fail to see the open redirect.

why?

because the client and thus the fixed URL are explicitly approved at
some point

Hans.



Hans.

On 9/3/14, 6:56 PM, Antonio Sanso wrote:

On Sep 3, 2014, at 6:51 PM, Hans Zandbelt
<hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>
<mailto:hzandbelt@pingidentity.com>> wrote:

Let me try and approach this from a different angle: why would you
call it an open redirect when an invalid scope is provided and
call it
correct protocol behavior (hopefully) when a valid scope is
provided?

as specified below in the positive case (namely when the correct
scope
is provided) the resource owner MUST approve the app via the consent
screen (at least once).



Hans.

On 9/3/14, 6:46 PM, Antonio Sanso wrote:
hi John,
On Sep 3, 2014, at 6:14 PM, John Bradley <ve7jtb@ve7jtb.com
<mailto:ve7jtb@ve7jtb.com>
<mailto:ve7jtb@ve7jtb.com>
<mailto:ve7jtb@ve7jtb.com>> wrote:

In the example the redirect_uri is vlid for the attacker.

The issue is that the AS may be allowing client registrations with
arbitrary redirect_uri.

In the spec it is unspecified how a AS validates that a client
controls the redirect_uri it is registering.

I think that if anything it may be the registration step that
needs
the security consideration.

(this is the first time :p) but I do disagree with you. It would be
pretty unpractical to block this at registration time….
IMHO the best approach is the one taken from Google, namely
returning
400 with the cause of the error..

*400.* That’s an error.

*Error: invalid_scope*

Some requested scopes were invalid. {invalid=[l]}

said that I hope you all agree this is an issue in the spec so
far….

regards

antonio


John B.

On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com
<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com>> wrote:

I don't understand.  The redirect uri has to be valid in
order for a
redirect to happen.  The spec explicitly states this.

On 9/3/2014 11:43 AM, Antonio Sanso wrote:
hi *,

IMHO providers that strictly follow rfc6749 are vulnerable
to open
redirect.
Let me explain, reading [0]

If the request fails due to a missing, invalid, or mismatching
redirection URI, or if the client identifier is missing or
invalid,
the authorization server SHOULD inform the resource owner of the
error and MUST NOT automatically redirect the user-agent to the
invalid redirection URI.

If the resource owner denies the access request or if the
request
fails for reasons other than a missing or invalid
redirection URI,
the authorization server informs the client by adding the
following
parameters to the query component of the redirection URI
using the
"application/x-www-form-urlencoded" format, perAppendix B
<https://tools.ietf.org/html/rfc6749#appendix-B>:

Now let’s assume this.
I am registering a new client to thevictim.com
<http://thevictim.com/>
<http://victim.com/><http://victim.com <http://victim.com/>
<http://victim.com/>>
<http://victim.com <http://victim.com/> <http://victim.com/>>
provider.
I register redirect uriattacker.com <http://uriattacker.com/>
<http://attacker.com/><http://attacker.com
<http://attacker.com/> <http://attacker.com/>>
<http://attacker.com <http://attacker.com/>
<http://attacker.com/>>.

According to [0] if I pass e.g. the wrong scope I am redirected
back to
attacker.com <http://attacker.com/>
<http://attacker.com/><http://attacker.com
<http://attacker.com/>
<http://attacker.com/>> <http://attacker.com
<http://attacker.com/> <http://attacker.com/>>.
Namely I prepare a url that is in this form:

http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com

and this is works as an open redirector.
Of course in the positive case if all the parameters are
fine this
doesn’t apply since the resource owner MUST approve the app
via the
consent screen (at least once).

A solution would be to return error 400 rather than redirect
to the
redirect URI (as some provider e.g. Google do)

WDYT?

regards

antonio

[0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1


_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com <http://bill.burkecentral.com/>

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
<mailto:OAuth@ietf.org><mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

--
Hans Zandbelt              | Sr. Technical Architect
hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>
<mailto:hzandbelt@pingidentity.com>| Ping
Identity

--
Hans Zandbelt              | Sr. Technical Architect
hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com> |
Ping Identity

--
Hans Zandbelt              | Sr. Technical Architect
hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>| Ping
Identity

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

--
Hans Zandbelt              | Sr. Technical Architect
hzandbelt@pingidentity.com | Ping Identity

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--
Hans Zandbelt              | Sr. Technical Architect
hzandbelt@pingidentity.com | Ping Identity

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email