Re: [OAUTH-WG] redircet_uri matching algorithm
Bill Mills <wmills_92105@yahoo.com> Thu, 21 May 2015 20:13 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B10BB1A8A5E for <oauth@ietfa.amsl.com>; Thu, 21 May 2015 13:13:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.134
X-Spam-Level:
X-Spam-Status: No, score=-1.134 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_XBL=0.375, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lU8vP0g5mAW7 for <oauth@ietfa.amsl.com>; Thu, 21 May 2015 13:13:30 -0700 (PDT)
Received: from nm8-vm0.bullet.mail.bf1.yahoo.com (nm8-vm0.bullet.mail.bf1.yahoo.com [98.139.213.95]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6591C1A8A60 for <oauth@ietf.org>; Thu, 21 May 2015 13:13:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1432239208; bh=ZEfcNMINCZR8VikzGdOCQkVwVze0JLJmWJbroMlk+3s=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=MWNwjgip6QyVqGnFytYgrz3m/FHaQXgUR0jOzkbl5/OOXS6X29C/t7/+r0azd66SU2WS7kN+oQHf1tnQPssqzmsgejk6YXBPeg9+HrWIoEVfO9gGp8O3rb9FCTlYjpeCC8zuzwNvpYfioKq4jwHb0Q6WSg8Mjgorxmr1eVxsKi9O1DVrLevhXJbDmPnOwibTAa6KSAr0jwKB2Qwn/mMTH8sbPJ9Ifh36R+ehKMkbkXVoFEJ63oquoMAsEg/1hc5xsTzTSXX1OSjj5PU5ozb0g3KKmWCmoUlU3NHlajA2n1MZ2wWto4ZpAdX2osC789Il6eNKcx1EUBaKduGOcYueDQ==
Received: from [98.139.215.142] by nm8.bullet.mail.bf1.yahoo.com with NNFMP; 21 May 2015 20:13:28 -0000
Received: from [98.139.212.204] by tm13.bullet.mail.bf1.yahoo.com with NNFMP; 21 May 2015 20:13:28 -0000
Received: from [127.0.0.1] by omp1013.mail.bf1.yahoo.com with NNFMP; 21 May 2015 20:13:28 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 531572.5620.bm@omp1013.mail.bf1.yahoo.com
X-YMail-OSG: RyROJ88VM1k9qO11gnwcUorpzeJoADjElXSPnZvKzSB.zTsv4YqhRmK6z5o6EO5 8TnhHw1AzkjYf2ylBWkEsTbxeL2dADylF1aS.__jX32JtC6Kx87d4CA4azSv4y8FvZ2347JGYuui u319Zp3QDDCBOXS5.D3k9wK1Zyr9lCUv7i7BbS31aTxL7NF1r3VydTwGSwW1ySwvxX.e2_WMT2J7 C1E4wWBxqpsaTtFDYVrUS22N6PVFbePHVenmbWdvBoDSOBajeS1a4TwO3tHCgSl8hwXyDFNf281U MJrFxNJ_ITDPvU2eIdW0X6IqW.b_j1mXfa8NaCTMj0pjjcwN.XV4uORi89Bq5UYtsCYQcURYklwu u5sQH9gQA9uHc7kBZ1Gi2mtwHaG8qziZZ19.BWZuwkXlbffRMVPMHtMW40t0V8zPzH_cTG9ulgWQ SaisRZ9YlDm1vohW_Jvgt6E7UX3qCUPJ3bXg9QhVQqn1mJls2kqsFgVHyJOVv.Sri8kzghTXlXXP rhjNBoweYrhEcVLCcwQ--
Received: by 66.196.80.145; Thu, 21 May 2015 20:13:28 +0000
Date: Thu, 21 May 2015 20:13:27 +0000
From: Bill Mills <wmills_92105@yahoo.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Antonio Sanso <asanso@adobe.com>, John Bradley <ve7jtb@ve7jtb.com>
Message-ID: <1842692772.4820975.1432239207731.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <BY2PR03MB4423D6CD3799CEB1F321DB8F5C10@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB4423D6CD3799CEB1F321DB8F5C10@BY2PR03MB442.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_4820974_757761103.1432239207723"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/qgZh8q_larECRbBIm1s_yxYoRok>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] redircet_uri matching algorithm
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 20:13:31 -0000
+1 On Thursday, May 21, 2015 12:29 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: +1 I vehemently concur that that working group should stay completely clear of facilitating this insecure practice. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Antonio Sanso Sent: Thursday, May 21, 2015 12:41 AM To: John Bradley Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] redircet_uri matching algorithm On May 21, 2015, at 4:35 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > I think the correct answer is that clients should always assume exact redirect_uri matching, and servers should always enforce it. > > Anything else is asking for trouble. FWIW I completely agree with John here... regards antonio > > If clients need to maintain some state the correct thing to do is use the state parameter, and not append extra path or query elements to there redirect_uri. > > A significant number of security problems in the wild come from servers not enforcing this. > > I may be taking an excessively hard line, but partial matching is not something we should be encouraging by making easier. > > I did do a draft on a way to safely use state https://tools.ietf.org/id/draft-bradley-oauth-jwt-encoded-state-04.txt > > John B. > > >> On May 16, 2015, at 4:43 AM, Patrick Gansterer <paroga@paroga.com> wrote: >> >> "OAuth 2.0 Dynamic Client Registration Protocol" [1] is nearly finished and provides the possibility to register additional "Client Metadata". >> >> OAuth 2.0 does not define any matching algorithm for the redirect_uris. The latest information on that topic I could find is [1], which is 5 years old. Is there any more recent discussion about it? >> >> I'd suggest to add an OPTIONAL "redirect_uris_matching_method" client metadata. Possible valid values could be: >> * "exact": The "redirect_uri" provided in a redirect-based flow must match exactly one of of the provided strings in the "redirect_uris" array. >> * "prefix": The "redirect_uri" must begin with one of the "redirect_uris". (e.g. "http://example.com/path/subpath" would be valid with ["http://example.com/path/", "http://example.com/otherpath/"]) >> * "regex": The provided "redirect_uris" are threatened as regular expressions, which the "redirect_uri" will be matched against. (e.g. "http://subdomain.example.com/path5/" would be valid with ["^http:\\/\\/[a-z]+\\.example\\.com\\/path\\d+\\/"] >> >> If not defined the server can choose any supported method, so we do not break existing implementations. On the other side it allows an client to make sure that a server supports a specific matching algorithm required by the client. ATM a client has no possibility to know how a server handles the redirect_uris. >> >> [1] http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-29 >> [2] http://www.ietf.org/mail-archive/web/oauth/current/msg02617.html >> >> -- >> Patrick Gansterer >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] redircet_uri matching algorithm Patrick Gansterer
- Re: [OAUTH-WG] redircet_uri matching algorithm David Waite
- Re: [OAUTH-WG] redircet_uri matching algorithm Bill Burke
- Re: [OAUTH-WG] redircet_uri matching algorithm Justin Richer
- Re: [OAUTH-WG] redircet_uri matching algorithm John Bradley
- Re: [OAUTH-WG] redircet_uri matching algorithm Antonio Sanso
- Re: [OAUTH-WG] redircet_uri matching algorithm Mike Jones
- Re: [OAUTH-WG] redircet_uri matching algorithm Bill Mills
- Re: [OAUTH-WG] redircet_uri matching algorithm Pedro Igor Silva
- Re: [OAUTH-WG] redircet_uri matching algorithm Donald F. Coffin
- Re: [OAUTH-WG] redircet_uri matching algorithm Patrick Gansterer