Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt
Brian Campbell <bcampbell@pingidentity.com> Thu, 22 March 2018 08:17 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB88120454 for <oauth@ietfa.amsl.com>; Thu, 22 Mar 2018 01:17:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QW7swL_Iic2U for <oauth@ietfa.amsl.com>; Thu, 22 Mar 2018 01:17:01 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02EDD1243F3 for <oauth@ietf.org>; Thu, 22 Mar 2018 01:17:01 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id z7-v6so1093399iti.1 for <oauth@ietf.org>; Thu, 22 Mar 2018 01:17:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G1nYJS0r5YupAoEoHCZad2Qz0Pz9LP+ti/2veRI/iME=; b=B2Bh3Nbcb6lT+DLdGqJHs7YwtmuSI7SJm2MHdZikbBMUYNY9GVTPfKQQvNyeYuX7yJ ftw+jLTA1DEv9UpcJqSLDyov3/edNcH9vXT96D89KL7w4Do0JyI5XUzMuOoa25FSshdk N+2BxmzO8MyqyXnyquFa2l0sSKluzVlvuzChY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=G1nYJS0r5YupAoEoHCZad2Qz0Pz9LP+ti/2veRI/iME=; b=fq3nDi9iYc3orTDe8Fxzf1bgIDI06NWmCktDZTZ6xFjaaTXmvV1O7RcBslOVPn4Cd5 jwi5e34im8SXLP2zJaTnm+GbHR7TAW/n9PLRFGpYiWsWyggb0IeYWRn8bw6p1y/+W2nG eP+0DbFsrHEVeoCDXzsT9oOMsaE0CMYHrU+okZjjZdBcugeVmBMdC2fPhdBRZxXQKpKX +eFy5t1L8iFtXAWZ1Q5kHCkqowLnSRPzNyj40VtwDGkxIwqtTWB/H6jh00kt5Pfo1qf8 X/dCBi62W7FWOphUSWiekcMlihRQt3t9+lwa/KhYkMMj+GNNwzipqMbvPHCO7XDJGmHA oBfw==
X-Gm-Message-State: AElRT7GryLVhkem/DrIIfxjQOclRZJ+YPb8LVcMbfwsJJyMjwewYX5Qk DQ/WGEUVb1X5DgxOLUIYzi7HSHN8HDSAohE8ietN1CVZEwT9XvDhpPpibUWD//YPO89i2r3r2Xt yYTRVfX+y5SohQmeu
X-Google-Smtp-Source: AG47ELuxjD307YhkiSmNvhg1MCdqgeSUyKbyiCrt5p6ysKoFy9mssWprWnM1dsUWUUlp8QNoczmF7rLVGF3i4ANpL4w=
X-Received: by 2002:a24:e4c2:: with SMTP id o185-v6mr7667745ith.37.1521706620249; Thu, 22 Mar 2018 01:17:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.73.214 with HTTP; Thu, 22 Mar 2018 01:16:29 -0700 (PDT)
In-Reply-To: <C499BC4D-C2D1-4654-82DF-BF3C5216C223@lodderstedt.net>
References: <E126FCD2-55E0-4ADB-9A3F-6EEF3955EC2C@authlete.com> <CAEKOcs1Ky7XETQ4xk2XaBZnkjyF-M_OpJvSWK5pouYgq90c5Nw@mail.gmail.com> <CA+k3eCR+bvWRK8H+tmkSGbHob1i7ZgrQ96g3qEeaLaU=_LJYSQ@mail.gmail.com> <57EDA9BC-1710-4968-B9D5-D6BBBC702046@lodderstedt.net> <CA+k3eCSheQzav2CmXvuOL3mT_z_6WON4UWCXqg_rsxzHP+XsAA@mail.gmail.com> <CA+k3eCQVsNr0pV8R8YAK-3o-qjF0c+7rVwqJ-Wyk=M8O0V=xyQ@mail.gmail.com> <CAEKOcs1AhdU=nSnoj6OPP31789aV0Cn0cKheRDqmw63nx-bvMQ@mail.gmail.com> <C499BC4D-C2D1-4654-82DF-BF3C5216C223@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 22 Mar 2018 08:16:29 +0000
Message-ID: <CA+k3eCTp5Y6yNPjMitku8pLxdxoqY9s4hQUF_S8CwgOPDkw-Cg@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>, Travis Spencer <travis.spencer@curity.io>
Content-Type: multipart/alternative; boundary="0000000000008d84840567fbee48"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kjS6YEvSnd6r5wsuZ10zWnaQN-M>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 08:17:07 -0000
That works for me On Wed, Mar 21, 2018 at 7:34 PM, Torsten Lodderstedt < torsten@lodderstedt.net> wrote: > Hi all, > > thanks for your feedback. Here is my text proposal for section 3.8.1. > > —— > > Attackers could try to utilize a user's trust in the authorization > server (and its URL in particular) for performing phishing attacks. > > RFC 6749 already prevents open redirects by stating the AS > MUST NOT automatically redirect the user agent in case > of an invalid combination of client_id and redirect_uri. > > However, as described in [I-D.ietf-oauth-closing-redirectors], an > attacker could also utilize a correctly registered redirect URI to > perform phishing attacks. It could for example register a client > via dynamic client registration and intentionally send an > erroneous authorization request, e.g. by using an invalid > scope value, to cause the AS to automatically redirect the user > agent to its phishing site. > > The AS MUST take precautions to prevent this threat. > Based on its risk assessment the AS needs to decide whether > it can trust the redirect URI or not and should only automatically > redirect the user agent, if it trusts the redirect URI. If not, it could > inform the user that it is about to redirect her to the another site > and rely on the user to decide or just inform the user about the > error. > > —— > > kind regards, > Torsten. > > > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- [OAUTH-WG] I-D Action: draft-ietf-oauth-security-… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Joseph Heenan
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Jim Manico
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Justin Richer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Daniel Fett