IETF Logo Mail Archive

Re: [OAUTH-WG] open redirect in rfc6749

Phil Hunt <phil.hunt@oracle.com> Wed, 03 September 2014 19:49 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9C11A6F91 for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 12:49:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.414
X-Spam-Level:
X-Spam-Status: No, score=-2.414 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u6cmKCuCwl_k for <oauth@ietfa.amsl.com>; Wed, 3 Sep 2014 12:49:24 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 360D81A6F98 for <oauth@ietf.org>; Wed, 3 Sep 2014 12:49:10 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s83Jn5Cr021491 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 3 Sep 2014 19:49:06 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s83Jn402024551 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 3 Sep 2014 19:49:05 GMT
Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s83Jn4pu012044; Wed, 3 Sep 2014 19:49:04 GMT
Received: from [192.168.1.197] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 03 Sep 2014 12:49:04 -0700
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <41169177-EDF1-4577-8860-B0DE2CDF5C0C@oracle.com>
Date: Wed, 03 Sep 2014 12:49:02 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <D1EFD4DC-F4E1-4627-BE9E-A1AEB327E2DC@oracle.com>
References: <756EEB25-89E8-4445-9DA0-5522787D51AB@adobe.com> <54073D6F.6070203@redhat.com> <7A3A12C9-2A3B-48B1-BD5D-FD467EA03EE8@ve7jtb.com> <58148F80-C2DD-45C5-8D6F-CED74A90AA75@adobe.com> <5407470B.2010904@pingidentity.com> <25055629-26A9-478D-AE7A-3C295E3166EE@adobe.com> <54074B7A.7080907@pingidentity.com> <43A8E8A6-BA9B-4501-8CA3-28943236EADB@adobe.com> <387F387A-4743-488F-BBD0-8FB8232FA8E9@ve7jtb.com> <5407611D.6090405@pingidentity.com> <26BE0939-3BFE-4C06-81E7-39BF906FCF19@oracle.com> <7320F0A5-86FA-42CB-8C6D-00EBDDF1A48C@adobe.com> <41169177-EDF1-4577-8860-B0DE2CDF5C0C@oracle.com>
To: Antonio Sanso <asanso@adobe.com>
X-Mailer: Apple Mail (2.1878.6)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/tQgNjio9SLYIopWD3GjYOIROkVE
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 19:49:34 -0000

ooops,, that 6819 not 6810

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com



On Sep 3, 2014, at 12:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> in RFC6810, see section 3.5 and 4.1.5. 
> 
> Phil
> 
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
> 
> 
> 
> On Sep 3, 2014, at 12:36 PM, Antonio Sanso <asanso@adobe.com> wrote:
> 
>> hi Phil,
>> can you point out the relative paragraph that covers this specific case in RFC6819?
>> On Sep 3, 2014, at 9:23 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>> 
>>> I do not believe this is a flaw specific to 6749. The flaw if any is within HTTP itself (RFC7230). Covert redirect is a well known problem. There are extensive recommendations that prevent this covered in 6749 and 6819.
>>> 
>>> There is no protocol fix that OAuth can make since it is a trait or feature of HTTP.
>>> 
>>> Instead we’ve made security recommendations which are the appropriate response to this issue. Further we published 6819 that provides further guidance.
>>> 
>>> Phil
>>> 
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>> 
>>> 
>>> 
>>> On Sep 3, 2014, at 11:42 AM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote:
>>> 
>>>> fine, you're talking security considerations about untrusted clients; that's a different use case than the protocol flaw reason why Google would not do rfc6749 as written
>>>> 
>>>> Hans.
>>>> 
>>>> On 9/3/14, 7:52 PM, John Bradley wrote:
>>>>> I agree that the error case where there is no UI is the problem, as it can be used inside a Iframe.
>>>>> 
>>>>> However error responses are generally useful.
>>>>> 
>>>>> OAuth core is silent on how redirect_uri are registered and if they are verified.
>>>>> 
>>>>> Dynamic registration should warn about OAuth errors to redirect_uri from untrusted clients.
>>>>> 
>>>>> For other registration methods we should update the RFC.
>>>>> 
>>>>> John B.
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Sent from my iPhone
>>>>> 
>>>>>> On Sep 3, 2014, at 7:14 PM, Antonio Sanso <asanso@adobe.com> wrote:
>>>>>> 
>>>>>> 
>>>>>>> On Sep 3, 2014, at 7:10 PM, Hans Zandbelt <hzandbelt@pingidentity.com> wrote:
>>>>>>> 
>>>>>>> Is your concern clients that were registered using dynamic client registration?
>>>>>> 
>>>>>> yes
>>>>>> 
>>>>>>> 
>>>>>>> Otherwise the positive case is returning a response to a valid URL that belongs to a client that was registered explicitly by the resource owner
>>>>>> 
>>>>>> well AFAIK the resource owner doesn’t register clients…
>>>>>> 
>>>>>> 
>>>>>>> and the negative case is returning an error to that same URL.
>>>>>> 
>>>>>> the difference is the consent screen… in the positive case you need to approve an app.. for the error case no approval is needed,,,
>>>>>> 
>>>>>>> 
>>>>>>> I fail to see the open redirect.
>>>>>> 
>>>>>> why?
>>>>>> 
>>>>>>> 
>>>>>>> Hans.
>>>>>>> 
>>>>>>>> On 9/3/14, 6:56 PM, Antonio Sanso wrote:
>>>>>>>> 
>>>>>>>> On Sep 3, 2014, at 6:51 PM, Hans Zandbelt <hzandbelt@pingidentity.com
>>>>>>>> <mailto:hzandbelt@pingidentity.com>> wrote:
>>>>>>>> 
>>>>>>>>> Let me try and approach this from a different angle: why would you
>>>>>>>>> call it an open redirect when an invalid scope is provided and call it
>>>>>>>>> correct protocol behavior (hopefully) when a valid scope is provided?
>>>>>>>> 
>>>>>>>> as specified below in the positive case (namely when the correct scope
>>>>>>>> is provided) the resource owner MUST approve the app via the consent
>>>>>>>> screen (at least once).
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Hans.
>>>>>>>>> 
>>>>>>>>>> On 9/3/14, 6:46 PM, Antonio Sanso wrote:
>>>>>>>>>> hi John,
>>>>>>>>>> On Sep 3, 2014, at 6:14 PM, John Bradley <ve7jtb@ve7jtb.com
>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com>
>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>>>>>>>> 
>>>>>>>>>>> In the example the redirect_uri is vlid for the attacker.
>>>>>>>>>>> 
>>>>>>>>>>> The issue is that the AS may be allowing client registrations with
>>>>>>>>>>> arbitrary redirect_uri.
>>>>>>>>>>> 
>>>>>>>>>>> In the spec it is unspecified how a AS validates that a client
>>>>>>>>>>> controls the redirect_uri it is registering.
>>>>>>>>>>> 
>>>>>>>>>>> I think that if anything it may be the registration step that needs
>>>>>>>>>>> the security consideration.
>>>>>>>>>> 
>>>>>>>>>> (this is the first time :p) but I do disagree with you. It would be
>>>>>>>>>> pretty unpractical to block this at registration time….
>>>>>>>>>> IMHO the best approach is the one taken from Google, namely returning
>>>>>>>>>> 400 with the cause of the error..
>>>>>>>>>> 
>>>>>>>>>> *400.* That’s an error.
>>>>>>>>>> 
>>>>>>>>>> *Error: invalid_scope*
>>>>>>>>>> 
>>>>>>>>>> Some requested scopes were invalid. {invalid=[l]}
>>>>>>>>>> 
>>>>>>>>>> said that I hope you all agree this is an issue in the spec so far….
>>>>>>>>>> 
>>>>>>>>>> regards
>>>>>>>>>> 
>>>>>>>>>> antonio
>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> John B.
>>>>>>>>>>> 
>>>>>>>>>>> On Sep 3, 2014, at 12:10 PM, Bill Burke <bburke@redhat.com
>>>>>>>>>>> <mailto:bburke@redhat.com>
>>>>>>>>>>> <mailto:bburke@redhat.com>> wrote:
>>>>>>>>>>> 
>>>>>>>>>>>> I don't understand.  The redirect uri has to be valid in order for a
>>>>>>>>>>>> redirect to happen.  The spec explicitly states this.
>>>>>>>>>>>> 
>>>>>>>>>>>>> On 9/3/2014 11:43 AM, Antonio Sanso wrote:
>>>>>>>>>>>>> hi *,
>>>>>>>>>>>>> 
>>>>>>>>>>>>> IMHO providers that strictly follow rfc6749 are vulnerable to open
>>>>>>>>>>>>> redirect.
>>>>>>>>>>>>> Let me explain, reading [0]
>>>>>>>>>>>>> 
>>>>>>>>>>>>> If the request fails due to a missing, invalid, or mismatching
>>>>>>>>>>>>> redirection URI, or if the client identifier is missing or invalid,
>>>>>>>>>>>>> the authorization server SHOULD inform the resource owner of the
>>>>>>>>>>>>> error and MUST NOT automatically redirect the user-agent to the
>>>>>>>>>>>>> invalid redirection URI.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> If the resource owner denies the access request or if the request
>>>>>>>>>>>>> fails for reasons other than a missing or invalid redirection URI,
>>>>>>>>>>>>> the authorization server informs the client by adding the following
>>>>>>>>>>>>> parameters to the query component of the redirection URI using the
>>>>>>>>>>>>> "application/x-www-form-urlencoded" format, perAppendix B
>>>>>>>>>>>>> <https://tools.ietf.org/html/rfc6749#appendix-B>:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Now let’s assume this.
>>>>>>>>>>>>> I am registering a new client to thevictim.com
>>>>>>>>>>>>> <http://victim.com/><http://victim.com <http://victim.com/>>
>>>>>>>>>>>>> <http://victim.com <http://victim.com/>>
>>>>>>>>>>>>> provider.
>>>>>>>>>>>>> I register redirect uriattacker.com
>>>>>>>>>>>>> <http://attacker.com/><http://attacker.com <http://attacker.com/>>
>>>>>>>>>>>>> <http://attacker.com <http://attacker.com/>>.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> According to [0] if I pass e.g. the wrong scope I am redirected
>>>>>>>>>>>>> back to
>>>>>>>>>>>>> attacker.com <http://attacker.com/><http://attacker.com
>>>>>>>>>>>>> <http://attacker.com/>> <http://attacker.com <http://attacker.com/>>.
>>>>>>>>>>>>> Namely I prepare a url that is in this form:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com
>>>>>>>>>>>>> 
>>>>>>>>>>>>> and this is works as an open redirector.
>>>>>>>>>>>>> Of course in the positive case if all the parameters are fine this
>>>>>>>>>>>>> doesn’t apply since the resource owner MUST approve the app via the
>>>>>>>>>>>>> consent screen (at least once).
>>>>>>>>>>>>> 
>>>>>>>>>>>>> A solution would be to return error 400 rather than redirect to the
>>>>>>>>>>>>> redirect URI (as some provider e.g. Google do)
>>>>>>>>>>>>> 
>>>>>>>>>>>>> WDYT?
>>>>>>>>>>>>> 
>>>>>>>>>>>>> regards
>>>>>>>>>>>>> 
>>>>>>>>>>>>> antonio
>>>>>>>>>>>>> 
>>>>>>>>>>>>> [0] https://tools.ietf.org/html/rfc6749#section-4.1.2.1
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>>> 
>>>>>>>>>>>> --
>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>>> http://bill.burkecentral.com
>>>>>>>>>>>> 
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>> 
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org>
>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>> 
>>>>>>>>> --
>>>>>>>>> Hans Zandbelt              | Sr. Technical Architect
>>>>>>>>> hzandbelt@pingidentity.com <mailto:hzandbelt@pingidentity.com>| Ping
>>>>>>>>> Identity
>>>>>>> 
>>>>>>> --
>>>>>>> Hans Zandbelt              | Sr. Technical Architect
>>>>>>> hzandbelt@pingidentity.com | Ping Identity
>>>>>> 
>>>> 
>>>> -- 
>>>> Hans Zandbelt              | Sr. Technical Architect
>>>> hzandbelt@pingidentity.com | Ping Identity
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email