IETF Logo Mail Archive

Re: [OAUTH-WG] redirect uri and portals

Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in> Wed, 08 March 2023 04:47 UTC

Return-Path: <jaimandeep.phdcs21@nfsu.ac.in>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4129CC14F74E for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2023 20:47:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nfsu.ac.in
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mV6Bgc_xHyDN for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2023 20:47:27 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 633D1C14F739 for <oauth@ietf.org>; Tue, 7 Mar 2023 20:47:27 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id a32so1426917ljq.1 for <oauth@ietf.org>; Tue, 07 Mar 2023 20:47:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nfsu.ac.in; s=google; t=1678250845; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nKOqcL7b+ppkoMu/WDo27oloaMIpJwCrtni6Bzni+7w=; b=bOu/f13T5GC7D4IZyrH3tuSUnSsNt+3YOEAWg5Vy7xQAJWd99UXbW0So3mkc4ANxNg UhamW9zjg0WFBUOubA8vF/fitgCOsjQAt8C6FxiyHvTNCTLa0PVaFn3CXtQ1DDNaWujW A8vyD/yPMCrI7Ot8+k07NZE7MWJaBIS5r7Akg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678250845; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nKOqcL7b+ppkoMu/WDo27oloaMIpJwCrtni6Bzni+7w=; b=yekxFdQwzdEhexr2KLr65RkQn99UbdVjMBrRmMM/llJEDMom4ozg386IqJguGc4GmA aNXOLx/q15W+ta9gygJy6mzAIc6qqrmS3Q0feWUqxYKG7yZ+6BlPYkzHUJTieIwBcuOm VwhJbqaS7arLKm5fNVLLviNjfs2suhId8vVgRoceN3objbuW3wCmdoYBPSg0ZKZnyoy+ uEvcQ5zvpnI8EQ+ywyQetMp6Kx5NC9s+O41oIm503tDCNB20fQXu5CvutGTcWP/7A8/N nGD1R68tJ7cTbvrYtstI5mKbYciZNKSjSCvE+3huk6rtDjySY4XxVx9draYkky5flpn2 fZqA==
X-Gm-Message-State: AO0yUKWrgBtFp2Ir8OeHh8IbjWqp3YSi9su/emfWMcNC5k0nRXxVqpO6 gysgzAxYUKt2J98pvPGzBFtNj+ai4m8Lwmm88Gd3VA==
X-Google-Smtp-Source: AK7set89IH8skR4gzZsaeT3di2gWbnn+u7tJFJEQf9d47LEfDVdxA7sW9MsA8hmWiR4Pmiz4wkkSS9bQbCN8dFvBLJQ=
X-Received: by 2002:a05:651c:3c6:b0:295:8ef2:874a with SMTP id f6-20020a05651c03c600b002958ef2874amr5097750ljp.0.1678250845054; Tue, 07 Mar 2023 20:47:25 -0800 (PST)
MIME-Version: 1.0
References: <CALNQ_jKjTQt+6YaJBXTPJNv-LkvpPxdeJ7w_1jBinBfa6H5M7Q@mail.gmail.com> <CAEFJvapugLJ_b0wNjQrC=1i+WnhZdAjdyECVE4hUuMBBRrWYbw@mail.gmail.com> <CALNQ_jJL17KMTJeam2z72wTyFkA8JaMGtgjftyqgNH3jqgRf-Q@mail.gmail.com> <CAGBSGjosL7pK8_EKYUDg4FbQRdi9m2NiA6meAhDHRsWtODFK0g@mail.gmail.com> <CALNQ_j+sc8gWEk-Z+v2dFoVY5MuzvaYL7b7Mz0Y93tioDZGepA@mail.gmail.com> <CADom2f1Z22cHrkdsh2o9yRDY-6_qMhDT-YL7Mh40yVocbsJffg@mail.gmail.com> <CALNQ_jKYmETH=1hZU_A__-KdyiT3-6e3f+2fvtBEiVsTRx2MYw@mail.gmail.com> <29858dbc-1436-a4e2-8f79-79d4b257d8f4@hackmanit.de> <CALNQ_j+Cxk1-wh6pRzLpO1V6kZh66k0V47Na0AaSFcEV-Oa+8w@mail.gmail.com> <240b81c2-23dd-865e-1fd5-c02e1a51b137@gmx.net> <CALNQ_j+sO_si6_DCgGWpRU3NTeZa49QvfEDT6QMHZqd288VG3A@mail.gmail.com> <5d8d0833-c086-4934-446d-c316576552ba@hackmanit.de>
In-Reply-To: <5d8d0833-c086-4934-446d-c316576552ba@hackmanit.de>
From: Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in>
Date: Wed, 08 Mar 2023 10:17:12 +0530
Message-ID: <CAODMz5GwPaXtG6ZuK0PLtQhJZPxgc=McrD7YSps=W3zn1LUhCw@mail.gmail.com>
To: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Cc: Yannick Majoros <yannick@valuya.be>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000076c52605f65c391c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/w5iuRFxT258aXFpOekJh6ppqD_Y>
Subject: Re: [OAUTH-WG] redirect uri and portals
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2023 04:47:32 -0000

Dear Yannick,

1. I agree with Neil and Hans. It's one hardened endpoint vs any other
endpoint which may have inadvertent security issues. It substantially
increases the attack surface.

2. Karsten has given a detailed explanation on the use of "state"
parameters. However in my opinion this design pattern is very annoying for
the end user. It results in delayed performance due to multiple redirects
or 'the dance of redirects'. In some implementations, the hardened endpoint
even displays content, which further adds to the unpleasant user
experience. Also, the "state" parameter may result in unintended
information disclosure and the encryption and signature validation does
have its own performance overheads resulting in increased wait time
especially when the end user is waiting at the screen for the process to
end. So, as per my understanding, there are two issues here:

(a) The url automatically changes, which makes the user scary as he does
not know what is happening and does not seem to be incontrol of his actions.
(b) The degraded performance due to reading and verification of "state"
parameters.

3. I agree with Yannick that there is a definite need to look at other
options in a standardized way which can substitute for "state" parameter
design pattern. Especially in view of PCKE which was designed specifically
to mitigate the misuse of leaked authz code. Yannick you may like to bring
it up in the upcoming meeting and can request a time slot from Rifaat.

Regards
Jaimandeep Singh

On Tue, 7 Mar, 2023, 8:30 pm Karsten Meyer zu Selhausen, <
karsten.meyerzuselhausen@hackmanit.de> wrote:

> The benefit of not storing the state of all users on the server-side is
> still present. The client only needs to store and use *one *key-pair for
> all JWTs.
> On 07.03.2023 15:57, Yannick Majoros wrote:
>
> I'm still missing the point:
> - any key used to sign or encrypt the state... is state itself
> - if we can store that key (or anything, like an url to go back to after
> login), why bother passing the state around?
>
>
> Le mar. 7 mars 2023 à 15:07, Hannes Tschofenig <hannes.tschofenig@gmx.net>
> a écrit :
>
>> Hi Yannick,
>>
>>
>> Am 07.03.2023 um 14:25 schrieb Yannick Majoros:
>>
>> One possible solution: Store the redirect information in a signed JWT and
>> place the JWT in the state parameter. I don't think this is written
>> somewhere in the security BCP but I think this is a solutions used in the
>> wild by multiple clients.
>>
>>
>> Section 4.7.1 of the security BCP lists this solution as one possible
>> countermeasure:
>>
>>    -
>>
>>    If state is used for carrying application state, and integrity of its
>>    contents is a concern, clients MUST protect state against tampering
>>    and swapping. This can be achieved by binding the contents of state to the
>>    browser session and/or signed/encrypted state values as discussed in the
>>    now-expired draft [I-D.bradley-oauth-jwt-encoded-state
>>    <https://www.ietf.org/archive/id/draft-bradley-oauth-jwt-encoded-state-09.txt>
>>    ].¶
>>    <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.7.1-3.2.1>
>>
>>
>> The referenced draft has, however, expired:
>> https://www.ietf.org/archive/id/draft-bradley-oauth-jwt-encoded-state-09.txt
>>
>>
>> Ciao
>>
>> Hannes
>>
>>
>>
>>
>>
>
> --
> Yannick Majoros
> Valuya sprl
>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:	+49 (0)234 / 54456499
> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>
> Save the date: 11.-12.5.2023. Join us in celebrating the 5th anniversary of RuhrSec - the IT security conference in Bochum: https://www.ruhrsec.de/2023
>
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
>
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email