Re: [OAUTH-WG] open redirect in rfc6749
John Bradley <ve7jtb@ve7jtb.com> Thu, 04 September 2014 12:44 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C427E1A887B for <oauth@ietfa.amsl.com>; Thu, 4 Sep 2014 05:44:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.146
X-Spam-Level:
X-Spam-Status: No, score=-0.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P4IGamsJJdeP for <oauth@ietfa.amsl.com>; Thu, 4 Sep 2014 05:44:09 -0700 (PDT)
Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA4ED1A8868 for <oauth@ietf.org>; Thu, 4 Sep 2014 05:44:08 -0700 (PDT)
Received: by mail-wg0-f47.google.com with SMTP id z12so9895280wgg.18 for <oauth@ietf.org>; Thu, 04 Sep 2014 05:44:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=750DEiQeq1NmMqbIsRH6i2aUZv5SOxKjJ4pIfGRNDBU=; b=CSLwKWlv+b63kD0gMotWxaNWFPDCfh443TegNNiqBFxdTtDixwZpnypzpwCkQy8esn py/yke0gbh25AzGndTU41I98jog5d/b05xYVCpPOSXFZpgiskhv75PIGNYVqXvoIW6Rf tTnCuxzTMMnTD7AonF6hoBE8HaptdJhAU25rhua0nVcuTlaySfMR0ez3bXLPd+aUnu6B IruIVgnOU67vPH/8EijVZmos5+BrHDKGE0RWnD5YqUgzySyTyt0SQPJnWiNhHyqj4Qu2 Z4Sd0v6Vqp2l4Fi7aOiHYb34yvH6SHW4A1CD86GC1z9V62fpI9Tuusop/4YB59X9C2El W+0g==
X-Gm-Message-State: ALoCoQnpqQVYLBDvCQH+a6tpflToXFy88VgSlhDsgRbD1yXBfR/MzpAO7fnl5hYko8zgRh/UZ8Pl
X-Received: by 10.194.202.231 with SMTP id kl7mr5579424wjc.134.1409834647229; Thu, 04 Sep 2014 05:44:07 -0700 (PDT)
Received: from host-101-0.eduroamers.nl (host-101-0.eduroamers.nl. [145.96.0.101]) by mx.google.com with ESMTPSA id cw6sm19335748wjb.18.2014.09.04.05.44.05 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 04 Sep 2014 05:44:06 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_2488B34F-2095-4836-AB01-A04F1CEE3831"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <54085B16.5000001@pingidentity.com>
Date: Thu, 04 Sep 2014 14:44:04 +0200
Message-Id: <0D64CB33-1ED1-4780-8BBD-1DADB80DE24B@ve7jtb.com>
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com> <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com> <58148F80-C2DD-45C5-8D6F-CED74A90AA75@adobe.com> <5407470B.2010904@pingidentity.com> <25055629-26A9-478D-AE7A-3C295E3166EE@adobe.com> <54074B7A.7080907@pingidentity.com> <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com> <54075296.9090007@pingidentity.com> <848F15BD-894D-48C6-B901-B5565BDE4C08@adobe.com> <05C25C09-598C-4D7F-A07A-C93DEC17D10B@adobe.com> <255386B5-79A1-4CD7-90E6-F3F6E23F51F8@mitre.org> <540818FD.1010202@pingidentity.com> <809F7DAB-021D-4770-9D7B-E996D0D32D45@adobe.com> <540829AF.9030804@pingidentity.com> <DDB844F5-4008-47FF-BC82-16EB61E276D4@adobe.com> <540853E1.3090102@pingidentity.com> <54085675.3060507@pingidentity.com> <FE978421-CA1B-4FA1-9887-0245982EA359@ve7jtb.com> <54085B16.5000001@pingidentity.com>
To: Hans Zandbelt <hzandbelt@pingidentity.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qKkp_EdOIdwTk0_BQ5wMjxL2eOQ
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 12:44:12 -0000
In a enterprise case likely there is some trusted relationship. In the Web 2.0 API economy case there is a tension between providers wanting the maximum number of users and validating the developer registering the client. Often having a email someplace is sufficient to register a client. That is not a particularly high bar if you are someone intent on hacking or phishing. Each AS is going to have some different policy regarding the vetting of clients/developers. So AS need to take appropriate precautions based on there policies. John B. On Sep 4, 2014, at 2:29 PM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote: > exactly, but my point would be that the attacker needs to have an relationship/account with the OP; this is where the approval is and I agree with Antonio/you that that is tricky for consumer ASs and deserves a warning > > Hans. > > On 9/4/14, 2:22 PM, John Bradley wrote: >> Registration requiring a valid email address is not sufficient to stop a "bad" person from registering a client that appears to be perfectly legitimate but is later used as a redirect. >> >> So it is a bit slippery to differentiate good from bad. >> >> In general clearing the referrer and fragment from incoming requests is a good practice on redirects to prevent leakage of information across the redirect. >> >> The other concern is using the redirect as part of a phishing attack to make the target site look more legitimate. >> That is a more complicated problem unless you validate every client by looking at them to make sure they are not bad in some way. >> >> John B. >> >> >> On Sep 4, 2014, at 2:09 PM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote: >> >>> Maybe just to clarify my point: where did the client_id in the example that you gave come from? >>> >>> Hans. >>> >>> On 9/4/14, 1:58 PM, Hans Zandbelt wrote: >>>> yes, you are right about the unrestricted client use case; I just got >>>> caught by the fact that you were talking about *unrestricted* client >>>> registration all the time (standards-based or not) which deserves extra >>>> caution whereas Google (and the spec) also provides *restricted* client >>>> registration the deviation or caution is not needed >>>> >>>> Hans. >>>> >>>> On 9/4/14, 1:44 PM, Antonio Sanso wrote: >>>>> hi Hans >>>>> >>>>> On Sep 4, 2014, at 10:58 AM, Hans Zandbelt >>>>> <hzandbelt@pingidentity.com> wrote: >>>>> >>>>>> Agreed, I see you point about the big providers using exactly the >>>>>> unrestricted flow for which the trust model (by definition) is out of >>>>>> scope of the spec. This may be the reason for the implemented >>>>>> behavior indeed and a security consideration is a good idea for other >>>>>> deployments; there's not much more that can be done. >>>>>> >>>>>> But Google also provides explicit registration for API clients (which >>>>>> is where my mind was): >>>>>> https://developers.google.com/accounts/docs/OAuth2 (step 1) >>>>>> and they would not need to deviate from the spec for that, nor would >>>>>> the spec need to change >>>>> >>>>> I do really struggle to understand your point here :) (at least the >>>>> "nor would the spec need to change part" :)). >>>>> >>>>> Probably I need to explain myself better. >>>>> Since Google is “safe” (due the “deviation” from the spec) I would >>>>> take Google as example here (I could point out open redirector in the >>>>> wild to proof my point but I will not do…) >>>>> >>>>> Let’s start from scratch… >>>>> >>>>> If Google would have something like >>>>> http://www.google.com?goto=attacker.com this is without any doubt an >>>>> open redirector… see also OWASP 10 [0]. >>>>> >>>>> Now if Google would have implemented the spec rfc6749 verbatim >>>>> something like >>>>> >>>>> https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=788732372078.apps.googleusercontent.com&scope=WRONG_SCOPE&redirect_uri=http://attacker.com >>>>> >>>>> >>>>> would have redirect to http://attacker.com. >>>>> >>>>> So why this is not an open redirect ? :) >>>>> >>>>> Now maybe we are saying the same thing but I felt like better explain >>>>> my point :) >>>>> >>>>> regards >>>>> >>>>> antonio >>>>> >>>>> [0] >>>>> https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards >>>>> >>>>> >>>>> >>>>>> >>>>>> Hans. >>>>>> >>>>>> On 9/4/14, 9:50 AM, Antonio Sanso wrote: >>>>>>> Hi Hans, >>>>>>> >>>>>>> I really fail to see how this can be addressed at registration time >>>>>>> for cases where registration is unrestricted (namely all the big >>>>>>> Providers) >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> antonio >>>>>>> >>>>>>> On Sep 4, 2014, at 9:47 AM, Hans Zandbelt >>>>>>> <hzandbelt@pingidentity.com> wrote: >>>>>>> >>>>>>>> Classifying like this must also mean that consent should not be >>>>>>>> stored until the client is considered (admin) trusted, and admin >>>>>>>> policy would interfere with user policy. >>>>>>>> >>>>>>>> IMHO the security consideration would apply only to dynamically >>>>>>>> registered clients where registration is unrestricted; any other >>>>>>>> form would involve some form of admin/user approval at registration >>>>>>>> time, overcoming the concern at authorization time: there's no >>>>>>>> auto-redirect flow possible for unknown clients. >>>>>>>> >>>>>>>> Hans. >>>>>>>> >>>>>>>> On 9/4/14, 9:04 AM, Richer, Justin P. wrote: >>>>>>>>> I think this advice isn't a bad idea, though it's of course up to >>>>>>>>> the AS >>>>>>>>> what an "untrusted" client really is. In practice, this is something >>>>>>>>> that was registered by a non-sysadmin type person, either a >>>>>>>>> dynamically >>>>>>>>> registered client or something available through self-service >>>>>>>>> registration of some type. It's also reasonable that a client, even >>>>>>>>> dynamically registered, would be considered "trusted" if enough >>>>>>>>> time has >>>>>>>>> passed and enough users have used it without things blowing up. >>>>>>>>> >>>>>>>>> -- Justin >>>>>>>>> >>>>>>>>> On Sep 4, 2014, at 1:26 AM, Antonio Sanso <asanso@adobe.com >>>>>>>>> <mailto:asanso@adobe.com>> wrote: >>>>>>>>> >>>>>>>>>> hi again *, >>>>>>>>>> >>>>>>>>>> after thinking a bit further IMHO an alternative for the untrusted >>>>>>>>>> clients can also be to always present the consent screen (at least >>>>>>>>>> once) before any redirect. >>>>>>>>>> Namely all providers I have seen show the consent screen if all the >>>>>>>>>> request parameters are correct and if the user accepts the redirect >>>>>>>>>> happens. >>>>>>>>>> If one of the parameter (with the exclusion of the client id and >>>>>>>>>> redirect uri that are handled differently as for spec) is wrong >>>>>>>>>> though >>>>>>>>>> the redirect happens without the consent screen being shown.. >>>>>>>>>> >>>>>>>>>> WDYT? >>>>>>>>>> >>>>>>>>>> regards >>>>>>>>>> >>>>>>>>>> antonio >>>>>>>>>> >>>>>>>>>> On Sep 3, 2014, at 7:54 PM, Antonio Sanso <asanso@adobe.com >>>>>>>>>> <mailto:asanso@adobe.com>> wrote: >>>>>>>>>> >>>>>>>>>>> Well, >>>>>>>>>>> I do not know if this is only dynamic registration... >>>>>>>>>>> let’s talk about real use cases, namely e.g. Google , Facebook , >>>>>>>>>>> etc.. is that dynamic client registration? I do not know… :) >>>>>>>>>>> >>>>>>>>>>> Said that what the other guys think? :) >>>>>>>>>>> Would this deserve some “spec adjustment” ? I mean there is a >>>>>>>>>>> reason >>>>>>>>>>> if Google is by choice “violating” the spec right? (I assume to >>>>>>>>>>> avoid >>>>>>>>>>> open redirect…) >>>>>>>>>>> But other implementers do follow the spec hence they have this open >>>>>>>>>>> redirector… and this is not nice IMHO... >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Sep 3, 2014, at 7:40 PM, Hans Zandbelt >>>>>>>>>>> <hzandbelt@pingidentity.com >>>>>>>>>>> <mailto:hzandbelt@pingidentity.com>> wrote: >>>>>>>>>>> >>>>>>>>>>>> On 9/3/14, 7:14 PM, Antonio Sanso wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> On Sep 3, 2014, at 7:10 PM, Hans Zandbelt >>>>>>>>>>>>> <hzandbelt@pingidentity.com >>>>>>>>>>>>> <mailto:hzandbelt@pingidentity.com>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Is your concern clients that were registered using dynamic >>>>>>>>>>>>>> client >>>>>>>>>>>>>> registration? >>>>>>>>>>>>> >>>>>>>>>>>>> yes >>>>>>>>>>>> >>>>>>>>>>>> I think your issue is then with the trust model of dynamic client >>>>>>>>>>>> registration; that is left out of scope of the dynreg spec (and >>>>>>>>>>>> the >>>>>>>>>>>> concept is not even part of the core spec), but unless you want >>>>>>>>>>>> everything to be open (which typically would not be the case), >>>>>>>>>>>> then >>>>>>>>>>>> it would involve approval somewhere in the process before the >>>>>>>>>>>> client >>>>>>>>>>>> is registered. Without dynamic client registration that >>>>>>>>>>>> approval is >>>>>>>>>>>> admin based or resource owner based, depending on use case. >>>>>>>>>>>> >>>>>>>>>>>>>> Otherwise the positive case is returning a response to a >>>>>>>>>>>>>> valid URL >>>>>>>>>>>>>> that belongs to a client that was registered explicitly by the >>>>>>>>>>>>>> resource owner >>>>>>>>>>>>> >>>>>>>>>>>>> well AFAIK the resource owner doesn’t register clients… >>>>>>>>>>>> >>>>>>>>>>>> roles can collapse in use cases especially when using dynamic >>>>>>>>>>>> client >>>>>>>>>>>> registration >>>>>>>>>>>> >>>>>>>>>>>>>> and the negative case is returning an error to that same URL. >>>>>>>>>>>>> >>>>>>>>>>>>> the difference is the consent screen… in the positive case you >>>>>>>>>>>>> need >>>>>>>>>>>>> to approve an app.. for the error case no approval is needed,,, >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> I fail to see the open redirect. >>>>>>>>>>>>> >>>>>>>>>>>>> why? >>>>>>>>>>>> >>>>>>>>>>>> because the client and thus the fixed URL are explicitly >>>>>>>>>>>> approved at >>>>>>>>>>>> some point >>>>>>>>>>>> >>>>>>>>>>>> Hans. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hans. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 9/3/14, 6:56 PM, Antonio Sanso wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Sep 3, 2014, at 6:51 PM, Hans Zandbelt >>>>>>>>>>>>>>> <hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com> >>>>>>>>>>>>>>> <mailto:hzandbelt@pingidentity.com>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Let me try and approach this from a different angle: why >>>>>>>>>>>>>>>> would you >>>>>>>>>>>>>>>> call it an open redirect when an invalid scope is provided and >>>>>>>>>>>>>>>> call it >>>>>>>>>>>>>>>> correct protocol behavior (hopefully) when a valid scope is >>>>>>>>>>>>>>>> provided? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> as specified below in the positive case (namely when the >>>>>>>>>>>>>>> correct >>>>>>>>>>>>>>> scope >>>>>>>>>>>>>>> is provided) the resource owner MUST approve the app via the >>>>>>>>>>>>>>> consent >>>>>>>>>>>>>>> screen (at least once). >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hans. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 9/3/14, 6:46 PM, Antonio Sanso wrote: >>>>>>>>>>>>>>>>> hi John, >>>>>>>>>>>>>>>>> On Sep 3, 2014, at 6:14 PM, John Bradley <ve7jtb@ve7jtb.com >>>>>>>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com> >>>>>>>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com> >>>>>>>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> In the example the redirect_uri is vlid for the attacker. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> The issue is that the AS may be allowing client >>>>>>>>>>>>>>>>>> registrations with >>>>>>>>>>>>>>>>>> arbitrary redirect_uri. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> In the spec it is unspecified how a AS validates that a >>>>>>>>>>>>>>>>>> client >>>>>>>>>>>>>>>>>> controls the redirect_uri it is registering. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I think that if anything it may be the registration step >>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>> needs >>>>>>>>>>>>>>>>>> the security consideration. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> (this is the first time :p) but I do disagree with you. It >>>>>>>>>>>>>>>>> would be >>>>>>>>>>>>>>>>> pretty unpractical to block this at registration time…. >>>>>>>>>>>>>>>>> IMHO the best approach is the one taken from Google, namely >>>>>>>>>>>>>>>>> returning >>>>>>>>>>>>>>>>> 400 with the cause of the error.. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> *400.* That’s an error. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> *Error: invalid_scope* >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Some requested scopes were invalid. {invalid=[l]} >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> said that I hope you all agree this is an issue in the >>>>>>>>>>>>>>>>> spec so >>>>>>>>>>>>>>>>> far…. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> regards >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> antonio >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> John B. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com >>>>>>>>>>>>>>>>>> <mailto:bburke@redhat.com> >>>>>>>>>>>>>>>>>> <mailto:bburke@redhat.com> >>>>>>>>>>>>>>>>>> <mailto:bburke@redhat.com>> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I don't understand. The redirect uri has to be valid in >>>>>>>>>>>>>>>>>>> order for a >>>>>>>>>>>>>>>>>>> redirect to happen. The spec explicitly states this. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 9/3/2014 11:43 AM, Antonio Sanso wrote: >>>>>>>>>>>>>>>>>>>> hi *, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> IMHO providers that strictly follow rfc6749 are vulnerable >>>>>>>>>>>>>>>>>>>> to open >>>>>>>>>>>>>>>>>>>> redirect. >>>>>>>>>>>>>>>>>>>> Let me explain, reading [0] >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> If the request fails due to a missing, invalid, or >>>>>>>>>>>>>>>>>>>> mismatching >>>>>>>>>>>>>>>>>>>> redirection URI, or if the client identifier is missing or >>>>>>>>>>>>>>>>>>>> invalid, >>>>>>>>>>>>>>>>>>>> the authorization server SHOULD inform the resource >>>>>>>>>>>>>>>>>>>> owner of the >>>>>>>>>>>>>>>>>>>> error and MUST NOT automatically redirect the >>>>>>>>>>>>>>>>>>>> user-agent to the >>>>>>>>>>>>>>>>>>>> invalid redirection URI. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> If the resource owner denies the access request or if the >>>>>>>>>>>>>>>>>>>> request >>>>>>>>>>>>>>>>>>>> fails for reasons other than a missing or invalid >>>>>>>>>>>>>>>>>>>> redirection URI, >>>>>>>>>>>>>>>>>>>> the authorization server informs the client by adding the >>>>>>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>>>>>> parameters to the query component of the redirection URI >>>>>>>>>>>>>>>>>>>> using the >>>>>>>>>>>>>>>>>>>> "application/x-www-form-urlencoded" format, perAppendix B >>>>>>>>>>>>>>>>>>>> <https://tools.ietf.org/html/rfc6749#appendix-B>: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Now let’s assume this. >>>>>>>>>>>>>>>>>>>> I am registering a new client to thevictim.com >>>>>>>>>>>>>>>>>>>> <http://thevictim.com/> >>>>>>>>>>>>>>>>>>>> <http://victim.com/><http://victim.com >>>>>>>>>>>>>>>>>>>> <http://victim.com/> >>>>>>>>>>>>>>>>>>>> <http://victim.com/>> >>>>>>>>>>>>>>>>>>>> <http://victim.com <http://victim.com/> >>>>>>>>>>>>>>>>>>>> <http://victim.com/>> >>>>>>>>>>>>>>>>>>>> provider. >>>>>>>>>>>>>>>>>>>> I register redirect uriattacker.com >>>>>>>>>>>>>>>>>>>> <http://uriattacker.com/> >>>>>>>>>>>>>>>>>>>> <http://attacker.com/><http://attacker.com >>>>>>>>>>>>>>>>>>>> <http://attacker.com/> <http://attacker.com/>> >>>>>>>>>>>>>>>>>>>> <http://attacker.com <http://attacker.com/> >>>>>>>>>>>>>>>>>>>> <http://attacker.com/>>. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> According to [0] if I pass e.g. the wrong scope I am >>>>>>>>>>>>>>>>>>>> redirected >>>>>>>>>>>>>>>>>>>> back to >>>>>>>>>>>>>>>>>>>> attacker.com <http://attacker.com/> >>>>>>>>>>>>>>>>>>>> <http://attacker.com/><http://attacker.com >>>>>>>>>>>>>>>>>>>> <http://attacker.com/> >>>>>>>>>>>>>>>>>>>> <http://attacker.com/>> <http://attacker.com >>>>>>>>>>>>>>>>>>>> <http://attacker.com/> <http://attacker.com/>>. >>>>>>>>>>>>>>>>>>>> Namely I prepare a url that is in this form: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> and this is works as an open redirector. >>>>>>>>>>>>>>>>>>>> Of course in the positive case if all the parameters are >>>>>>>>>>>>>>>>>>>> fine this >>>>>>>>>>>>>>>>>>>> doesn’t apply since the resource owner MUST approve the >>>>>>>>>>>>>>>>>>>> app >>>>>>>>>>>>>>>>>>>> via the >>>>>>>>>>>>>>>>>>>> consent screen (at least once). >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> A solution would be to return error 400 rather than >>>>>>>>>>>>>>>>>>>> redirect >>>>>>>>>>>>>>>>>>>> to the >>>>>>>>>>>>>>>>>>>> redirect URI (as some provider e.g. Google do) >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> WDYT? >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> regards >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> antonio >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> [0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>>>> OAuth mailing list >>>>>>>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>> Bill Burke >>>>>>>>>>>>>>>>>>> JBoss, a division of Red Hat >>>>>>>>>>>>>>>>>>> http://bill.burkecentral.com >>>>>>>>>>>>>>>>>>> <http://bill.burkecentral.com/> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>>> OAuth mailing list >>>>>>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>>>>>>>>>>>> <mailto:OAuth@ietf.org> >>>>>>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>> OAuth mailing list >>>>>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>>>>>>>>>>> <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org> >>>>>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>> OAuth mailing list >>>>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>>>>>>>>>> <mailto:OAuth@ietf.org> >>>>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Hans Zandbelt | Sr. Technical Architect >>>>>>>>>>>>>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com> >>>>>>>>>>>>>>>> <mailto:hzandbelt@pingidentity.com>| Ping >>>>>>>>>>>>>>>> Identity >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Hans Zandbelt | Sr. Technical Architect >>>>>>>>>>>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com> | >>>>>>>>>>>>>> Ping Identity >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Hans Zandbelt | Sr. Technical Architect >>>>>>>>>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>| >>>>>>>>>>>> Ping >>>>>>>>>>>> Identity >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> OAuth mailing list >>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Hans Zandbelt | Sr. Technical Architect >>>>>>>> hzandbelt@pingidentity.com | Ping Identity >>>>>>> >>>>>> >>>>>> -- >>>>>> Hans Zandbelt | Sr. Technical Architect >>>>>> hzandbelt@pingidentity.com | Ping Identity >>>>> >>>> >>> >>> -- >>> Hans Zandbelt | Sr. Technical Architect >>> hzandbelt@pingidentity.com | Ping Identity >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> > > -- > Hans Zandbelt | Sr. Technical Architect > hzandbelt@pingidentity.com | Ping Identity
- [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Takahiko Kawasaki
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Richer, Justin P.
- Re: [OAUTH-WG] open redirect in rfc6749 Phil Hunt
- Re: [OAUTH-WG] open redirect in rfc6749 John Bradley
- Re: [OAUTH-WG] open redirect in rfc6749 Torsten Lodderstedt
- Re: [OAUTH-WG] open redirect in rfc6749 Hans Zandbelt
- Re: [OAUTH-WG] open redirect in rfc6749 Sergey Beryozkin
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Sergey Beryozkin
- Re: [OAUTH-WG] open redirect in rfc6749 Bill Burke
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso
- Re: [OAUTH-WG] open redirect in rfc6749 Antonio Sanso