Re: [OAUTH-WG] Caution about open redirectors using the state parameter

Daniel Fett <fett@danielfett.de> Wed, 22 April 2020 13:31 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A65123A0C66 for <oauth@ietfa.amsl.com>; Wed, 22 Apr 2020 06:31:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FOEFJDo8iMXr for <oauth@ietfa.amsl.com>; Wed, 22 Apr 2020 06:31:34 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 637F43A0C53 for <oauth@ietf.org>; Wed, 22 Apr 2020 06:31:34 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id CC0185C6D for <oauth@ietf.org>; Wed, 22 Apr 2020 13:31:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1587562286; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=BzLNvBIsKrDOPuiYXLKuvADPdVyejtsON9ni46GUb8E=; b=XV/eMrph4A1XWrHOYs57nwRyhoucoLPVbZLwtit3IeI5kOo+31OojTIbeqD6382MyeyTzs et4j6gbt6ss4IR+6JEX4d+qG8bZS1/ELJB5XaCEoQVVxXWvVSkOtdTEgzcwzZWMz7qul3i Z0Hn1smOuV7AtFDi+9KzuHkD6WWdfWY=
To: oauth@ietf.org
References: <8ef6dfa2-a3b0-3908-ac7d-b496908d07e1@aol.com> <39FB95F6-4542-4DA3-9F5A-7D64FDF507DD@forgerock.com> <1587561273967.95187@kuleuven.be>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <c783d2c0-0dcf-3428-cc21-0282b6cac464@danielfett.de>
Date: Wed, 22 Apr 2020 15:31:25 +0200
MIME-Version: 1.0
In-Reply-To: <1587561273967.95187@kuleuven.be>
Content-Type: multipart/alternative; boundary="------------EBD580F5A4AFB31C775860FA"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1587562286; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=BzLNvBIsKrDOPuiYXLKuvADPdVyejtsON9ni46GUb8E=; b=OfHBAqQr2hGXsIgCGGH9+H/uJW4xWNma5c919bWPd2F913r1FLjjfRxjM64IIZmTkMh/JO PhX3gZWSXVq1QNrCdDgMvZTYS/dP9arm5EH3Drx9iZ1+89vWqX7OF+OwPkj2dVgr+zgpUN 4Y5yHQdtm3sPilpVkP5RL/xEDOcJ9sc=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1587562286; a=rsa-sha256; cv=none; b=PZhesaCurnuS1Mg0cGgRxy114FnUtfQFYR6DtzLXJOA9sXk/RguReS/800+3IFFgjF9ETM PaGV99Wf/M2HcqMBi4raFkcVAGjSuHj3CVuRfZ0EIk2XltbsleQ3A8qRRNsJpa6AwTWEZY 7U/RkRlCXL0FkQtFBf2gnQNe8qkCXEk=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kM2jZfUnYkb3OKDFbKOiqf6kWZA>
Subject: Re: [OAUTH-WG] Caution about open redirectors using the state parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 13:31:36 -0000

Am 22.04.20 um 15:14 schrieb Pieter Philippaerts:
>
> You could argue that it's already there. Section 4.7.1 says:
>
>
We also have Section 4.9 on open redirectors:

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-4.9


-Daniel