Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri

[Chuck Mortimore <cmortimore@salesforce.com>]

Thanks - I get your line of reasoning now.   I believe it would still help in preventing certain types of attack.   These are especially apparent around immediate.

1) User initially grants access to example.com
2) User goes to an evil site
3) Without the user's knowledge, the malicious site issues an immediate user_agent flow

https://authzserver.com/authorize?type=user_agent&immediate=true&client_id=<Example.com's Client ID>&redirect_uri=<Evil URL>

4) Evil site is handed an access token based upon the previous grant to example.com

This would be prevented with a redirect_url whitelist.



-cmort




On 6/7/10 6:23 PM, "Marius Scurtescu" <mscurtescu@google.com> wrote:

On Mon, Jun 7, 2010 at 5:31 PM, Chuck Mortimore
<cmortimore@salesforce.com> wrote:
> Note sure I follow this Marius:
>
> "What can happen is that exmple.com/back can pretend to be
> example.com/back, but registration does not help in this case."
>
> I believe it does help in this case, as the Authorization server can
> validate the registered redirect_uri vs. the requested redirect_uri.   Hence
> the server would not issue a token to exmple.com in this case.   Am I
> missing something?

What stops exmple.com from registering? Unless the authz wants to
operate only with a short list of human verified clients. The current
spec allows that. But if registration cannot be controlled like that,
and all it does it proves that the client owns a domain, then it does
not help.

I don't think registration should/can be enforced.

Marius