IETF Logo Mail Archive

Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri

Chuck Mortimore <cmortimore@salesforce.com> Tue, 08 June 2010 00:31 UTC

Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 600AE3A68B1 for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 17:31:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.109
X-Spam-Level:
X-Spam-Status: No, score=-5.109 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JCD6S9r5Ddlk for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 17:31:17 -0700 (PDT)
Received: from exprod8og105.obsmtp.com (exprod8og105.obsmtp.com [64.18.3.90]) by core3.amsl.com (Postfix) with SMTP id A0D9E3A68C0 for <oauth@ietf.org>; Mon, 7 Jun 2010 17:31:14 -0700 (PDT)
Received: from source ([204.14.239.239]) by exprod8ob105.postini.com ([64.18.7.12]) with SMTP ID DSNKTA2PU8h8TJ1e/X8ssIrkSz8B8qIRWhD0@postini.com; Mon, 07 Jun 2010 17:31:16 PDT
Received: from EXSFM-MB01.internal.salesforce.com ([10.1.127.45]) by exsfm-hub4.internal.salesforce.com ([10.1.127.8]) with mapi; Mon, 7 Jun 2010 17:31:14 -0700
From: Chuck Mortimore <cmortimore@salesforce.com>
To: Marius Scurtescu <mscurtescu@google.com>, Andrew Arnott <andrewarnott@gmail.com>
Date: Mon, 07 Jun 2010 17:31:13 -0700
Thread-Topic: [OAUTH-WG] User-agent flow and pre-registered redirect_uri
Thread-Index: AcsGmoLaMIpNOjF4RSuRfgsmyJt5/gAB2M/q
Message-ID: <C832DD61.6AD3%cmortimore@salesforce.com>
In-Reply-To: <AANLkTil-xDEwMVbV-J7MC1ivoH9w-egOwo5Q2ata94Cc@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C832DD616AD3cmortimoresalesforcecom_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 00:31:28 -0000

Note sure I follow this Marius:

"What can happen is that exmple.com/back can pretend to be
example.com/back, but registration does not help in this case."

I believe it does help in this case, as the Authorization server can validate the registered redirect_uri vs. the requested redirect_uri.   Hence the server would not issue a token to exmple.com in this case.   Am I missing something?

-cmort


On 6/7/10 4:36 PM, "Marius Scurtescu" <mscurtescu@google.com> wrote:

On Fri, Jun 4, 2010 at 9:49 PM, Andrew Arnott <andrewarnott@gmail.com> wrote:
> The user agent flow indicates that the redirect_uri SHOULD be preregistered
> with the auth server for a given client.  I would like to suggest that the
> SHOULD here be changed to MUST.  Unless I'm missing something, without a
> preregistered redirect_uri any arbitrary client can obtain an access token
> under the pretense of being another client, and thereby perhaps altogether
> skip a user authorization prompt.
>
> As there will likely be a few popular client_id's in use, it will actually
> make it trivially easy to obtain elevated access to private user data as a
> rogue application.  This danger is unique to the user-agent flow because in
> this flow the client_secret is not required to obtain the access token,
> whereas it is for other flows.
>
> Thoughts?

Not sure registration buys you too much.

An arbitrary client cannot pretend being another client, client in
this case is the redirect_uri. It is up to the end user to trust this
redirect_uri.

For example, bad.example.com/back cannot pretend it is
good.example.com/back because the redirect with the access token will
go to good.example.com/back and not to bad.example.com/back.

What can happen is that exmple.com/back can pretend to be
example.com/back, but registration does not help in this case.

The only case where registration really helps is if example.com allows
people to create their own pages and as a result someone could create
a JavaScript client at example.com/pages/bad. Since you can have
several clients under the same domain, the user will be confused. In
this case if example.com registers its own redirect_uri no one else
under the same domain could potentially use one. But this is a
particular case, and up to example.com to enforce. Also, if
example.com wants to allow clients installed at different paths, then
again, registration does not help.

Marius


> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email