[OAUTH-WG] Re: MCP DCR redirect urls as open redirectors
Warren Parad <wparad@rhosys.ch> Sun, 07 December 2025 14:03 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1614896DB5D6 for <oauth@mail2.ietf.org>; Sun, 7 Dec 2025 06:03:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlPk15G4RNt5 for <oauth@mail2.ietf.org>; Sun, 7 Dec 2025 06:03:05 -0800 (PST)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8AED396DB259 for <oauth@ietf.org>; Sun, 7 Dec 2025 06:01:06 -0800 (PST)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-64312565c10so5922381a12.2 for <oauth@ietf.org>; Sun, 07 Dec 2025 06:01:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google2024; t=1765116065; x=1765720865; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=UAvJ/Zr0HuK+Ay8FD1ppjzAwe1zg/05Tp+iZ9+o1fWI=; b=m+tJ8UBts5KNyi9eW/fYda0gqTa/3M6aOWFera7IAyv8mx6rR5apRh0TbF55HDgvWh 83Q2c6po0P0kzDr4tDpYvRIJHgthhKyhj45MnwsUDjHv3sYAOuBohapti5Jl6vscWzmJ yeq503G4wcf91CBG8tYIOBceFsFYvz1wmz0NdD2vvvPIGDvXwUZ/s26PZ0FNt+2uemFW WqG3fJBvVE9JDMcmb3Cvzczpd3RFqee284G7t0o/Id/RI+apS7cnhdY2Uzj5eEWboVIB RwfZce1fzQte1SpUkThba7/RikFiW9J/MMVsod33dk2trzoH//Qrsoi5X8qsiCa9Y/MM YeJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765116065; x=1765720865; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=UAvJ/Zr0HuK+Ay8FD1ppjzAwe1zg/05Tp+iZ9+o1fWI=; b=OLSloYbPBZf+KOUWwuIA2AQj1ALKmDWdEcwAp1bQ9qaP46itYBZXHT72LLSKqazRkj 7BOeYga7Gv8q+dFeNnJJd2x+A0iQZIK6Lqj6twE2msaoPTdRnKEC6JQsOdE+PG9gc2Kq pzROSVzTz8sJ9Lj3rQ9tCqFegrCbznviwlWIFeDeWL8h1fEAeWSlvFrnXrR1IvBLDx7i QEk7ZHPEdp+NdCFBj2LBJ6np9pEJraAE0GdopPpOpq294sGMNLgiNVJ0c+g/URMuU0rV 8VJqPs2oNbP7YuCovBW6g5ZZJ1xRJ8ZCX6T4qcJb2l2zspk02Pa7flWweDFoKcmKm20E lZ3A==
X-Gm-Message-State: AOJu0YxJuZ1crXwfY6a7Do1IIcdbkgKfpz3tlo4s+PJ6FUDboCCsfids bk6vw5BJ0D5euNmuwHD3M0ByGHSYaPvGhCa+nU7caN1/KPe+2ZANlEDhHtxvAAeQtlFnum1lPp7 h5OY2IFowJhowxkhq8+HjCKoDm3M9cte2MieIVduf
X-Gm-Gg: ASbGnct8d5+qJIBAunF76+Bd/zvHWQzDviiR1UWuEzRSO/Ag24l1BeoYHOH4bi6kDId Q9DgXQLOJPolmivFxW+duwpj9GyrU0amjXg4ILXpGzQaucRGcxilXze7P4xXlYFYKVJ2wnq9iAY EHqm1rzW34MRrlEjnBN9TX3lE5X4AaoOmN12GHxPBX+u3WUGsd0mTb7FOvawossBwJRv+q1QSEq vytsgMg+8K+7d8dCwGF0xeA9Ff8OoMpQyEVynkumWSuNKaYSdz1K535WP1UBeFdUOwn+0g2kP+1 5/oPyev7efooxtHB0wNDEy2Ed/0zmintqMD2EOUaEKDQ/BadZF3JmIMXr9BMl8b4ICltKJrcEaE H58zpwAEkFMM85Q==
X-Google-Smtp-Source: AGHT+IFltv2hM3qVJv0LsSFxR67/QHmuaZhFL916DpXG00AYmK97W//f9TSyK0Cc4tysX+snthmaRZsY4QrkJcMkWHs=
X-Received: by 2002:a05:6402:51cb:b0:640:f481:988 with SMTP id 4fb4d7f45d1cf-6491a43295amr4071550a12.19.1765116065422; Sun, 07 Dec 2025 06:01:05 -0800 (PST)
MIME-Version: 1.0
References: <CAJot-L2+LueT=T1NdHD6We32TejYWqcYqB3BJjt9fdR6+RHRxg@mail.gmail.com> <CAGBSGjp3-_77cpLumTyq+jiLApe+pch1CcZDG0=-9LHu4g0fUw@mail.gmail.com>
In-Reply-To: <CAGBSGjp3-_77cpLumTyq+jiLApe+pch1CcZDG0=-9LHu4g0fUw@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Sun, 07 Dec 2025 15:00:55 +0100
X-Gm-Features: AQt7F2otgwZjTfpbfGSfZQtbY05r6P8XyStjzMZJeRiNCVTav0R-1t6Cr1WpLw8
Message-ID: <CAJot-L3rRcDa6qWR-VMTTkGm7LR+64FdhZwjOq6y-WNSFu_RQA@mail.gmail.com>
To: Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000112c9f06455d1c04"
Message-ID-Hash: YEEXNNBHGWRPRV6IPSEL626PFORN4G7Y
X-Message-ID-Hash: YEEXNNBHGWRPRV6IPSEL626PFORN4G7Y
X-MailFrom: wparad@rhosys.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: MCP DCR redirect urls as open redirectors
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zDCwUCE4_dzv73lG2_NXzEXYLME>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
I think the problem is well detailed there, but the problem for me is that MCP is masquerading around in way that explicitly makes this a problem. I do also agree that redirecting after user interaction heavily lowers the impact, as well as not redirecting the user in einem other cases. I will say that historically, only the invalid redirect url was likely cause for not redirecting. But one might say any configuration mismatch for DCRs should treated incredibly carefully. I doubt many providers are thinking about this. Put differently, is there a way we could help MCP oauth2 implementations from falling into this pit of failure besides just letting them about it? Is there a spec related change we could make? I'm not sure... On Sun, Dec 7, 2025, 14:54 Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org> wrote: > This is handled pretty well already in RFC9700: > > https://datatracker.ietf.org/doc/html/rfc9700#section-4.11.2 > > However, an attacker could also utilize a correctly registered redirection > URI to perform phishing attacks. The attacker could, for example, register > a client via dynamic client registration [RFC7591 > <https://datatracker.ietf.org/doc/html/rfc7591>]and execute one of the > following attacks: > > 1. Intentionally send an erroneous authorization request, e.g., by > using an invalid scope value, thus instructing the authorization server to > redirect the user agent to its phishing site. > 2. Intentionally send a valid authorization request with client_idand > redirect_uri controlled by the attacker. After the user authenticates, > the authorization server prompts the user to provide consent to the > request. If the user notices an issue with the request and declines the > request, the authorization server still redirects the user agent to the > phishing site. In this case, the user agent will be redirected to the > phishing site regardless of the action taken by the user. > 3. Intentionally send a valid silent authentication request ( > prompt=none) with client_id and redirect_uri controlled by the > attacker. In this case, the authorization server will automatically > redirect the user agent to the phishing site. > > The authorization server MUST take precautions to prevent these threats. > The authorization server MUST always authenticate the user first and, > with the exception of the silent authentication use case, prompt the user > for credentials when needed, before redirecting the user. Based on its risk > assessment, the authorization server needs to decide whether or not it can > trust the redirection URI. It could take into account URI analytics done > internally or through some external service to evaluate the credibility and > trustworthiness of content behind the URI, and the source of the > redirection URI and other client data. > > The authorization server SHOULD only automatically redirect the user > agent if it trusts the redirection URI. If the URI is not trusted, the > authorization server MAY inform the user and rely on the user to make the > correct decision. > > > There's a big difference between "open redirection" and redirecting to a > URL after some user interaction. So don't automatically redirect to a > redirect URI that has been registered via unauthenticated DCR (or CIMD from > an untrusted domain) with no clicks. That means if the AS typically would > have redirected to the client with an error like "invalid scope", that > should not happen here, as described in the section linked above. > > This is yet another example of how CIMD can help here without further > complicating the client implementation. It's up to the AS to decide how > trustworthy a domain is. So if the AS knows that "client.example.com" is > a "good" client, then it can treat the redirect URIs in the CIMD as valid > registered redirect URIs and redirect automatically on error conditions. > Importantly, it's able to do this without adding additional client code > like "software statements". > > Aaron > > > > > On Sun, Dec 7, 2025 at 4:26 AM Warren Parad <wparad= > 40rhosys.ch@dmarc.ietf.org> wrote: > >> I'm currently working through a security review of MCP servers auth >> implementations, and I'm stuck on something that I want a second opinion on. >> >> One challenge with OAuth implementations is potential abuse by becoming >> an open redirector. However, with the validation of redirect URLs and >> pre-registered clients, AS can know to block requests where redirects don't >> match. This has the secondary benefit of blocking attackers from turning an >> AS into an open redirector. >> >> With DCR, clients can register their own redirect urls, which means the >> protection by AS vetting of redirect urls to clients no longer prevents >> redirects to malicious urls. >> >> MCP server clients, (read: LLMs) which requires dynamic client >> registration, and requires it without authorization (an initial access >> token) to an AS, allows anyone to register malicious redirect urls. These >> urls can be used to bypass the normal restrictions on AS being abused as an >> open redirector. >> >> As long as MCP clients don't provide some sort of OIDC or pre-approval >> for requests to DCR, do we in fact have a "serious" problem here? I say >> "serious" because there is no security issue, but the conclusion I'm coming >> to is that any MCP Server that exists necessarily requires an open >> redirector unless they pre-validate a list of approved MCP Clients. >> >> I know there is the effort to create CIMD - OAuth Client ID Metadata >> Documents, but I don't see that helps prevent this abuse. >> >> --- >> >> While, since this isn't a security issue unless someone goes out of their >> way to enable all potential untrusted LLMs to register clients, and even >> then there are no security concerns, this abuse is not something that I >> think should be left unchecked. >> >> I would appreciate at least a double check on my thinking here. >> >> Thanks, >> Warren >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-leave@ietf.org >> >
- [OAUTH-WG] MCP DCR redirect urls as open redirect… Warren Parad
- [OAUTH-WG] Re: MCP DCR redirect urls as open redi… Aaron Parecki
- [OAUTH-WG] Re: MCP DCR redirect urls as open redi… Warren Parad
- [OAUTH-WG] Re: MCP DCR redirect urls as open redi… Aaron Parecki
- [OAUTH-WG] Re: MCP DCR redirect urls as open redi… Warren Parad