Re: [OAUTH-WG] redirect uri and portals
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 07 March 2023 14:07 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D09F5C151710 for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2023 06:07:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.826
X-Spam-Level:
X-Spam-Status: No, score=-1.826 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UJCVxa7jfEMJ for <oauth@ietfa.amsl.com>; Tue, 7 Mar 2023 06:07:41 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDC68C1516E3 for <oauth@ietf.org>; Tue, 7 Mar 2023 06:07:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1678198057; i=hannes.tschofenig@gmx.net; bh=0QpKdhHjaZ4b69clKRmXEI9NotSUvgEmcfHXpzk/m4Q=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=AFFqIQ6Gkk91x0MFKodWV+VB3zIQkQCw23OJ0bXWI4Cj0o/HBWt+mZ1fJZZHFR8aY m/hpqEMjKp0LZPIpcJiRY5NYmPwLgZa5oQ4yUxlOImrIelO3BRAjrlJs/nMPjONX4G 7//S7LWdjc/MEkUPRhrPhGYPxOq2c0pjIGuPIOVcYsbSVLIF1Wje9THGEpUynx3Gpq Wcg63S/OcJs460Smcxlul7/i/53m6PEsTYdqS0ONQQ/OGZ7dKZ87MXwc7zgtPlrzZ5 9Uk9aL+dU0Nly6AWsu/dPgt3LsiDTUoveOZU9mSrl4QYCJS36wv0bxZvpLpK+jgQTJ 9z/vGHWjxoOSA==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [172.16.254.146] ([195.149.218.225]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MDhhN-1pgS7j3vHz-00AkZq; Tue, 07 Mar 2023 15:07:37 +0100
Content-Type: multipart/alternative; boundary="------------ApbqksNWQGuTO0tvAjVm0WB4"
Message-ID: <240b81c2-23dd-865e-1fd5-c02e1a51b137@gmx.net>
Date: Tue, 07 Mar 2023 15:07:32 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
To: Yannick Majoros <yannick@valuya.be>, Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Cc: OAuth WG <oauth@ietf.org>
References: <CALNQ_jKjTQt+6YaJBXTPJNv-LkvpPxdeJ7w_1jBinBfa6H5M7Q@mail.gmail.com> <CAEFJvapugLJ_b0wNjQrC=1i+WnhZdAjdyECVE4hUuMBBRrWYbw@mail.gmail.com> <CALNQ_jJL17KMTJeam2z72wTyFkA8JaMGtgjftyqgNH3jqgRf-Q@mail.gmail.com> <CAGBSGjosL7pK8_EKYUDg4FbQRdi9m2NiA6meAhDHRsWtODFK0g@mail.gmail.com> <CALNQ_j+sc8gWEk-Z+v2dFoVY5MuzvaYL7b7Mz0Y93tioDZGepA@mail.gmail.com> <CADom2f1Z22cHrkdsh2o9yRDY-6_qMhDT-YL7Mh40yVocbsJffg@mail.gmail.com> <CALNQ_jKYmETH=1hZU_A__-KdyiT3-6e3f+2fvtBEiVsTRx2MYw@mail.gmail.com> <29858dbc-1436-a4e2-8f79-79d4b257d8f4@hackmanit.de> <CALNQ_j+Cxk1-wh6pRzLpO1V6kZh66k0V47Na0AaSFcEV-Oa+8w@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <CALNQ_j+Cxk1-wh6pRzLpO1V6kZh66k0V47Na0AaSFcEV-Oa+8w@mail.gmail.com>
X-Provags-ID: V03:K1:JIAKAytRGMa9daXG5xJtarKhkgW4yot+D65tASaQRWVJQx8RsWm vVfyQGrefhyGCAzUJnLIGU01PEvANTbQLMv6EnJC3CycMjYMoXESsLikd7LK6LBaar71C7l 9UfMPxqrAmqLpP/dvBOUyRKSGZCKJKJw2stDGs03ZAryvbzKs6a5Cj//1SAAimv9wQoMkEH b/nItMNxBJvsTpanuPA8A==
UI-OutboundReport: notjunk:1;M01:P0:JIU7lo6eu3k=;TQ41MZfeeXKj+hv0t/PRq5Gfb/L /HA67tbQ+6IgRx/ogpqW4k0hzQEY8tfxp2XX/fmAL5Z8RRkNHyS31/4b+y+xGXuABe96vMFUm GEy1+AOW7NRB7OTxzqfPwHRBP9LcJ1ZGuJz2ZvAfIvITAbhLtJwzj/KqdpD7B1Qp2nJGZ4Dst f3IYHdXpgAo5UWOVzCXVhsAXWutgxiQfn2+CRnifhndwbOcbkYyvXl6eXMrT2pxTyva9q657N RwuPK3GrTCqQXSTzxnup6nmir5kTssLZ7Uq/JY8/UQt7g1ccMPo8PmLCC1s15QtzxxM1wOjMx GpH3doYGu8XxAB1cZviPj3zfm288VgzqnZMcDV3Nq+WpNG5zqKtPwJCMpgbZ533h0t44E+3LP qHoeDOwOIPyA9qhl1THYHs02xjbakVBctIhNdj61/CNMo0mmEx4b34Hyha2dYrVdF83+BTIPB m88CPkKhDgObT8vHAeg5jDRKV05Z6kWtopGHE8JQ8K/VrWOUIR0CaOTpbhIiKyX4i9qJyGrxC GrlsMr9WTLRY4hOM1TXDjJ/JGOLG5pUqx6p7knqH9xSLuK0f49NPBR/d9jTnv9io95YnOfdbD GG4bg0C/HXxP9egkIpjVxNdoC3qcHBTsPCLBgO+igBB/JiKhgMMk6a1fphWbyPBqzInHxLu8k cN8bCjp55UbQRD/ydXa7gw1r9YY2tViy5N3b/RWj3YHFic13SqOJG+H5xIbvXl0bQ05eOKpGp FAKDUusyJpZiU7l8efGxXdegGf+yYLIMPqPKQohtghnO76/qhrBpenaeguUfRJSH67dZRkILK xdU9MCJJTqF87vWRAt1Dj+QUCMK5w2N2dOaqORu0TZZ1fiREURpM8piaAIo29X+S1GbuYbbux a/JBoSmQOQ/1W/QMIDMz/eom1cFThNn9BxpCaeVqm49fULnKV4b9eqv4ZmBZaPiWrUTbWOUMZ jDCoCg6fEreh72/0PbkuBElWoZQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wv2bCMO94srKuOkWBSoxIZX8WlY>
Subject: Re: [OAUTH-WG] redirect uri and portals
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2023 14:07:45 -0000
Hi Yannick,
Am 07.03.2023 um 14:25 schrieb Yannick Majoros:
> One possible solution: Store the redirect information in a signed JWT
> and place the JWT in the state parameter. I don't think this is
> written somewhere in the security BCP but I think this is a solutions
> used in the wild by multiple clients.
Section 4.7.1 of the security BCP lists this solution as one possible
countermeasure:
*
If|state|is used for carrying application state, and integrity of
its contents is a concern, clients MUST protect|state|against
tampering and swapping. This can be achieved by binding the contents
of state to the browser session and/or signed/encrypted state values
as discussed in the now-expired
draft[I-D.bradley-oauth-jwt-encoded-state
<https://www.ietf.org/archive/id/draft-bradley-oauth-jwt-encoded-state-09.txt>].ΒΆ
<https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.7.1-3.2.1>
The referenced draft has, however, expired:
https://www.ietf.org/archive/id/draft-bradley-oauth-jwt-encoded-state-09.txt
Ciao
Hannes
- [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Vittorio Bertocci
- Re: [OAUTH-WG] redirect uri and portals Aaron Parecki
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Aaron Parecki
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Rodrigo Speller
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Jaimandeep Singh
- Re: [OAUTH-WG] redirect uri and portals Neil Madden
- Re: [OAUTH-WG] redirect uri and portals Hans Zandbelt
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Hannes Tschofenig
- Re: [OAUTH-WG] redirect uri and portals Yannick Majoros
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] redirect uri and portals Jaimandeep Singh