Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri
Chuck Mortimore <cmortimore@salesforce.com> Tue, 08 June 2010 00:31 UTC
Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 600AE3A68B1 for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 17:31:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.109
X-Spam-Level:
X-Spam-Status: No, score=-5.109 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JCD6S9r5Ddlk for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 17:31:17 -0700 (PDT)
Received: from exprod8og105.obsmtp.com (exprod8og105.obsmtp.com [64.18.3.90]) by core3.amsl.com (Postfix) with SMTP id A0D9E3A68C0 for <oauth@ietf.org>; Mon, 7 Jun 2010 17:31:14 -0700 (PDT)
Received: from source ([204.14.239.239]) by exprod8ob105.postini.com ([64.18.7.12]) with SMTP ID DSNKTA2PU8h8TJ1e/X8ssIrkSz8B8qIRWhD0@postini.com; Mon, 07 Jun 2010 17:31:16 PDT
Received: from EXSFM-MB01.internal.salesforce.com ([10.1.127.45]) by exsfm-hub4.internal.salesforce.com ([10.1.127.8]) with mapi; Mon, 7 Jun 2010 17:31:14 -0700
From: Chuck Mortimore <cmortimore@salesforce.com>
To: Marius Scurtescu <mscurtescu@google.com>, Andrew Arnott <andrewarnott@gmail.com>
Date: Mon, 07 Jun 2010 17:31:13 -0700
Thread-Topic: [OAUTH-WG] User-agent flow and pre-registered redirect_uri
Thread-Index: AcsGmoLaMIpNOjF4RSuRfgsmyJt5/gAB2M/q
Message-ID: <C832DD61.6AD3%cmortimore@salesforce.com>
In-Reply-To: <AANLkTil-xDEwMVbV-J7MC1ivoH9w-egOwo5Q2ata94Cc@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C832DD616AD3cmortimoresalesforcecom_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 00:31:28 -0000
Note sure I follow this Marius: "What can happen is that exmple.com/back can pretend to be example.com/back, but registration does not help in this case." I believe it does help in this case, as the Authorization server can validate the registered redirect_uri vs. the requested redirect_uri. Hence the server would not issue a token to exmple.com in this case. Am I missing something? -cmort On 6/7/10 4:36 PM, "Marius Scurtescu" <mscurtescu@google.com> wrote: On Fri, Jun 4, 2010 at 9:49 PM, Andrew Arnott <andrewarnott@gmail.com> wrote: > The user agent flow indicates that the redirect_uri SHOULD be preregistered > with the auth server for a given client. I would like to suggest that the > SHOULD here be changed to MUST. Unless I'm missing something, without a > preregistered redirect_uri any arbitrary client can obtain an access token > under the pretense of being another client, and thereby perhaps altogether > skip a user authorization prompt. > > As there will likely be a few popular client_id's in use, it will actually > make it trivially easy to obtain elevated access to private user data as a > rogue application. This danger is unique to the user-agent flow because in > this flow the client_secret is not required to obtain the access token, > whereas it is for other flows. > > Thoughts? Not sure registration buys you too much. An arbitrary client cannot pretend being another client, client in this case is the redirect_uri. It is up to the end user to trust this redirect_uri. For example, bad.example.com/back cannot pretend it is good.example.com/back because the redirect with the access token will go to good.example.com/back and not to bad.example.com/back. What can happen is that exmple.com/back can pretend to be example.com/back, but registration does not help in this case. The only case where registration really helps is if example.com allows people to create their own pages and as a result someone could create a JavaScript client at example.com/pages/bad. Since you can have several clients under the same domain, the user will be confused. In this case if example.com registers its own redirect_uri no one else under the same domain could potentially use one. But this is a particular case, and up to example.com to enforce. Also, if example.com wants to allow clients installed at different paths, then again, registration does not help. Marius > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] User-agent flow and pre-registered… Dick Hardt
- [OAUTH-WG] User-agent flow and pre-registered red… Andrew Arnott
- Re: [OAUTH-WG] User-agent flow and pre-registered… Andrew Arnott
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… Chuck Mortimore
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… Chuck Mortimore
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… Andrew Arnott
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… Andrew Arnott
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… Thomas Hardjono
- Re: [OAUTH-WG] User-agent flow and pre-registered… Andrew Arnott
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher
- Re: [OAUTH-WG] User-agent flow and pre-registered… Torsten Lodderstedt
- Re: [OAUTH-WG] User-agent flow and pre-registered… Justin Richer
- Re: [OAUTH-WG] User-agent flow and pre-registered… Christian Scholz
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher
- Re: [OAUTH-WG] User-agent flow and pre-registered… Justin Richer
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… David Recordon
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher
- Re: [OAUTH-WG] User-agent flow and pre-registered… Eran Hammer-Lahav
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher