IETF Logo Mail Archive

Re: [OAUTH-WG] open redirect in rfc6749

Sergey Beryozkin <sberyozkin@gmail.com> Tue, 16 September 2014 08:45 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 095821A000A for <oauth@ietfa.amsl.com>; Tue, 16 Sep 2014 01:45:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.455
X-Spam-Level:
X-Spam-Status: No, score=0.455 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FRT_ADOBE2=2.455, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O16ww8Y0JgPk for <oauth@ietfa.amsl.com>; Tue, 16 Sep 2014 01:44:58 -0700 (PDT)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9A061A00FB for <oauth@ietf.org>; Tue, 16 Sep 2014 01:44:57 -0700 (PDT)
Received: by mail-wg0-f50.google.com with SMTP id x13so5043931wgg.21 for <oauth@ietf.org>; Tue, 16 Sep 2014 01:44:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=VrfGwfezGuVok4vcohMndfII9ihM0h3F/FQW12LG1jc=; b=hmmsVptKzM9KTx/lcRMBl0u3VH0sBJbjnMFuGVb81FQTZHni/PUdLIOo/eTslTis8f 6Wrdi+OUnBTbqLqiKwVi7LhE3fykujdoxTBtB9JHk3eltmyv7BMQuAxAM7qlMW1jmvNR ISiGfwiLqtsRtInzMSUGpwSu1cTm13TGBIJC4x/sUhMfIjSqumut7O4vRcIt6HpVcVry KTDu1mcFpb0o9Y5M/gi4CETQ6GxqIhNj/Ndwyq8HcAXVwYkEJBL2UgypTBwgJEK8aas4 1WcwBGoEPltJTt60DkSZKMwJksvlnMDoAtr9WzOEKJidI+aXQOGjc+rnfKMxhLOBQVyw qZSw==
X-Received: by 10.194.78.4 with SMTP id x4mr40905314wjw.44.1410857096484; Tue, 16 Sep 2014 01:44:56 -0700 (PDT)
Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id ub19sm1077191wib.9.2014.09.16.01.44.55 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Sep 2014 01:44:55 -0700 (PDT)
Message-ID: <5417F886.4030801@gmail.com>
Date: Tue, 16 Sep 2014 09:44:54 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Hans Zandbelt <hzandbelt@pingidentity.com>
References: <5nofjvf5jjbcqjdv9bmdgdg0.1410846275737@email.android.com> <5417EC3D.8060601@pingidentity.com> <5417F820.8000804@gmail.com>
In-Reply-To: <5417F820.8000804@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/zt0GlcWcI0U1hAdDNoMCEtUcFC0
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] open redirect in rfc6749
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2014 08:45:02 -0000

Hi

I wonder, when we have a situation where any client, the malicious
clients, or good clients, all of them can easily register and provide
bad redirect URIs, intentionally or unintentionally, then does it imply
there's serious a weakness present somewhere else, in the
registration process for example ? Should the client registrations be
validated ?

Sergey
>
> On 16/09/14 08:52, Hans Zandbelt wrote:
>> +1, Antonio and John convinced me that this is not limited to a
>> registration curation problem although that is where the problems starts
>> as Phil points out (and as much as I'd like it to stay there).
>>
>> There are and will be consumer OPs (like Google) that have no means to
>> do whitelisting yet have perfectly valid OAuth 2.0 use cases. A security
>> consideration for OPs that have no policy in place to allow only trusted
>> clients to register would be a good thing.
>>
>> The advice for those OPs would be to not send errors back to untrusted
>> clients or do it only after explicit user interaction.
>>
>> Hans.
>>
>> On 9/16/14, 7:44 AM, Torsten Lodderstedt wrote:
>>> I think a security considerations addendum makes sense.
>>>
>>> regards,
>>> Torsten.
>>>
>>>
>>> -------- Ursprüngliche Nachricht --------
>>> Von: "Richer, Justin P."
>>> Datum:15.09.2014 23:15 (GMT+01:00)
>>> An: Antonio Sanso
>>> Cc: oauth@ietf.org
>>> Betreff: Re: [OAUTH-WG] open redirect in rfc6749
>>>
>>> As we discussed before: This isn't really an open redirection in the
>>> classical sense since nothing gets leaked and the URI is tied back to a
>>> known (albeit malicious) client registration. And I thought the clear
>>> solution was to have an AS not automatically redirect to an untrusted
>>> client in error conditions, where "untrusted" is defined by the AS with
>>> guidance. If anything this is a security considerations addendum.
>>>
>>> -- Justin
>>>
>>> On Sep 15, 2014, at 4:52 PM, Antonio Sanso <asanso@adobe.com> wrote:
>>>
>>>  > The problem is that a malicious client can register a malicious
>>> redirect uri and https://tools.ietf.org/html/rfc6749#section-4.1.2.1
>>> does the rest (as previously discussed)
>>>  >
>>>  > regards
>>>  >
>>>  > antonio
>>>  >
>>>  > On Sep 15, 2014, at 10:43 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>  >
>>>  >> If a server accepts a URL from a client to be used as a redirect
>>> that the server doesn’t recognize or is not registered, that is an open
>>> redirect.
>>>  >>
>>>  >> The specification does no allow open-redirects, it considers this a
>>> mis-configuration.
>>>  >>
>>>  >> Take a look at sections 3.1.2.2 and 10.15 of RFC6749.
>>>  >>
>>>  >> Phil
>>>  >>
>>>  >> @independentid
>>>  >> www.independentid.com
>>>  >> phil.hunt@oracle.com
>>>  >>
>>>  >>
>>>  >>
>>>  >> On Sep 15, 2014, at 1:00 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>  >>
>>>  >>> There may be a problem with semantics in this discussion.
>>>  >>>
>>>  >>> There is a redirect performed by athe authorization endpoint to a
>>> fixed uri that is pre registered with the authorization server without
>>> user prompting.
>>>  >>>
>>>  >>> That probably doesn't fit the strict definition of a open
>>> redirector.
>>>  >>>
>>>  >>> It may however create similar security issues in situations with
>>> relatively open registration of clients.
>>>  >>>
>>>  >>> The largest issues are that the browser might leak information
>>> across the redirect in the fragment or referrer.  That has been used in
>>> attacks against Facebook in the past.
>>>  >>>
>>>  >>> This is no where near the end of the world,  however we need to
>>> look at the security considerations and see if we can provide better
>>> advice to implementors.  In some cases returning a error to the browser
>>> may be best.
>>>  >>>
>>>  >>> I don't think we need to go so far as not returning any error to
>>> the client under any circumstance.
>>>  >>>
>>>  >>> John B.
>>>  >>>
>>>  >>> Sent from my iPhone
>>>  >>>
>>>  >>>> On Sep 15, 2014, at 4:41 PM, Phil Hunt <phil.hunt@oracle.com>
>>> wrote:
>>>  >>>>
>>>  >>>> Simply not true.
>>>  >>>>
>>>  >>>> Phil
>>>  >>>>
>>>  >>>> @independentid
>>>  >>>> www.independentid.com
>>>  >>>> phil.hunt@oracle.com
>>>  >>>>
>>>  >>>>
>>>  >>>>
>>>  >>>>> On Sep 15, 2014, at 12:10 PM, Antonio Sanso <asanso@adobe.com>
>>> wrote:
>>>  >>>>>
>>>  >>>>> hi *,
>>>  >>>>>
>>>  >>>>> my understanding is that there is a rough consensus that if an
>>> OAuth Provider follows rfc6749 verbatim will end up having an open
>>> redirector.
>>>  >>>>> My next question would be now, is there anything we can do to
>>> raise some awareness about this issue?
>>>  >>>>>
>>>  >>>>> regards
>>>  >>>>>
>>>  >>>>> antonio
>>>  >>>>>
>>>  >>>>>> On Sep 4, 2014, at 3:15 PM, Hans Zandbelt
>>> <hzandbelt@pingidentity.com> wrote:
>>>  >>>>>>
>>>  >>>>>> I am convinced about the issue in the use case Antonio provided
>>> but I hope not to close the door on returning errors to known and
>>> trusted clients. Not sure anymore if that's possible though because the
>>> distinction can't be "registered"...
>>>  >>>>>>
>>>  >>>>>> Hans.
>>>  >>>>>>
>>>  >>>>>>> On 9/4/14, 3:01 PM, Antonio Sanso wrote:
>>>  >>>>>>> hi Bill
>>>  >>>>>>>> On Sep 4, 2014, at 2:52 PM, Bill Burke <bburke@redhat.com>
>>> wrote:
>>>  >>>>>>>>
>>>  >>>>>>>> FWIW, Antonio convinced me and I'm going to change this in our
>>> IDM project.  Thanks Antonio.  What convinced me was that the user is
>>> probably expecting a login screen.  Since there is this expectation, it
>>> might make it a little easier for the attacker to convince the user that
>>> a spoofed login screen is real.  I know this issue can only happen with
>>> unrestricted registration, but, IMO, this proposed change doesn't really
>>> have much of an effect on usability and is even backward compatible with
>>> the current RFC.
>>>  >>>>>>>>
>>>  >>>>>>>> Wouldn't it better though to never do a redirect on an invalid
>>> request and just display an error page?
>>>  >>>>>>>
>>>  >>>>>>> thanks for sharing your thoughts :). Display an error 400 is
>>> what Google does :)
>>>  >>>>>>>
>>>  >>>>>>> regards
>>>  >>>>>>>
>>>  >>>>>>> antonio
>>>  >>>>>>>
>>>  >>>>>>>>
>>>  >>>>>>>>> On 9/4/2014 3:50 AM, Antonio Sanso wrote:
>>>  >>>>>>>>> Hi Hans,
>>>  >>>>>>>>>
>>>  >>>>>>>>> I really fail to see how this can be addressed at
>>> registration time for cases where registration is unrestricted (namely
>>> all the big Providers)
>>>  >>>>>>>>>
>>>  >>>>>>>>> regards
>>>  >>>>>>>>>
>>>  >>>>>>>>> antonio
>>>  >>>>>>>>>
>>>  >>>>>>>>>> On Sep 4, 2014, at 9:47 AM, Hans Zandbelt
>>> <hzandbelt@pingidentity.com> wrote:
>>>  >>>>>>>>>>
>>>  >>>>>>>>>> Classifying like this must also mean that consent should not
>>> be stored until the client is considered (admin) trusted, and admin
>>> policy would interfere with user policy.
>>>  >>>>>>>>>>
>>>  >>>>>>>>>> IMHO the security consideration would apply only to
>>> dynamically registered clients where registration is unrestricted; any
>>> other form would involve some form of admin/user approval at
>>> registration time, overcoming the concern at authorization time: there's
>>> no auto-redirect flow possible for unknown clients.
>>>  >>>>>>>>>>
>>>  >>>>>>>>>> Hans.
>>>  >>>>>>>>>>
>>>  >>>>>>>>>>> On 9/4/14, 9:04 AM, Richer, Justin P. wrote:
>>>  >>>>>>>>>>> I think this advice isn't a bad idea, though it's of course
>>> up to the AS
>>>  >>>>>>>>>>> what an "untrusted" client really is. In practice, this is
>>> something
>>>  >>>>>>>>>>> that was registered by a non-sysadmin type person, either a
>>> dynamically
>>>  >>>>>>>>>>> registered client or something available through
>>> self-service
>>>  >>>>>>>>>>> registration of some type. It's also reasonable that a
>>> client, even
>>>  >>>>>>>>>>> dynamically registered, would be considered "trusted" if
>>> enough time has
>>>  >>>>>>>>>>> passed and enough users have used it without things
>>> blowing up.
>>>  >>>>>>>>>>>
>>>  >>>>>>>>>>> -- Justin
>>>  >>>>>>>>>>>
>>>  >>>>>>>>>>> On Sep 4, 2014, at 1:26 AM, Antonio Sanso <asanso@adobe.com
>>>  >>>>>>>>>>> <mailto:asanso@adobe.com>> wrote:
>>>  >>>>>>>>>>>
>>>  >>>>>>>>>>>> hi again *,
>>>  >>>>>>>>>>>>
>>>  >>>>>>>>>>>> after thinking a bit further IMHO an alternative for the
>>> untrusted
>>>  >>>>>>>>>>>> clients can also be to always present the consent screen
>>> (at least
>>>  >>>>>>>>>>>> once) before any redirect.
>>>  >>>>>>>>>>>> Namely all providers I have seen show the consent screen
>>> if all the
>>>  >>>>>>>>>>>> request parameters are correct and if the user accepts the
>>> redirect
>>>  >>>>>>>>>>>> happens.
>>>  >>>>>>>>>>>> If one of the parameter  (with the exclusion of the client
>>> id and
>>>  >>>>>>>>>>>> redirect uri that are handled differently as for spec) is
>>> wrong though
>>>  >>>>>>>>>>>> the redirect happens without the consent screen being
>>> shown..
>>>  >>>>>>>>>>>>
>>>  >>>>>>>>>>>> WDYT?
>>>  >>>>>>>>>>>>
>>>  >>>>>>>>>>>> regards
>>>  >>>>>>>>>>>>
>>>  >>>>>>>>>>>> antonio
>>>  >>>>>>>>>>>>
>>>  >>>>>>>>>>>> On Sep 3, 2014, at 7:54 PM, Antonio Sanso
>>> <asanso@adobe.com
>>>  >>>>>>>>>>>> <mailto:asanso@adobe.com>> wrote:
>>>  >>>>>>>>>>>>
>>>  >>>>>>>>>>>>> Well,
>>>  >>>>>>>>>>>>> I do not know if this is only dynamic registration...
>>>  >>>>>>>>>>>>> let’s talk about real use cases, namely e.g. Google ,
>>> Facebook ,
>>>  >>>>>>>>>>>>> etc.. is that dynamic client registration? I do not
>>> know… :)
>>>  >>>>>>>>>>>>>
>>>  >>>>>>>>>>>>> Said that what the other guys think?  :)
>>>  >>>>>>>>>>>>> Would this deserve some “spec adjustment” ? I mean there
>>> is a reason
>>>  >>>>>>>>>>>>> if Google is by choice “violating” the spec right? (I
>>> assume to avoid
>>>  >>>>>>>>>>>>> open redirect…)
>>>  >>>>>>>>>>>>> But other implementers do follow the spec hence they have
>>> this open
>>>  >>>>>>>>>>>>> redirector… and this is not nice IMHO...
>>>  >>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>
>>>  >>>>>>>>>>>>> On Sep 3, 2014, at 7:40 PM, Hans Zandbelt
>>> <hzandbelt@pingidentity.com
>>>  >>>>>>>>>>>>> <mailto:hzandbelt@pingidentity.com>> wrote:
>>>  >>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>> On 9/3/14, 7:14 PM, Antonio Sanso wrote:
>>>  >>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>> On Sep 3, 2014, at 7:10 PM, Hans Zandbelt
>>>  >>>>>>>>>>>>>>> <hzandbelt@pingidentity.com
>>> <mailto:hzandbelt@pingidentity.com>> wrote:
>>>  >>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>> Is your concern clients that were registered using
>>> dynamic client
>>>  >>>>>>>>>>>>>>>> registration?
>>>  >>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>> yes
>>>  >>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>> I think your issue is then with the trust model of
>>> dynamic client
>>>  >>>>>>>>>>>>>> registration; that is left out of scope of the dynreg
>>> spec (and the
>>>  >>>>>>>>>>>>>> concept is not even part of the core spec), but unless
>>> you want
>>>  >>>>>>>>>>>>>> everything to be open (which typically would not be the
>>> case), then
>>>  >>>>>>>>>>>>>> it would involve approval somewhere in the process
>>> before the client
>>>  >>>>>>>>>>>>>> is registered. Without dynamic client registration that
>>> approval is
>>>  >>>>>>>>>>>>>> admin based or resource owner based, depending on use
>>> case.
>>>  >>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>> Otherwise the positive case is returning a response to
>>> a valid URL
>>>  >>>>>>>>>>>>>>>> that belongs to a client that was registered
>>> explicitly by the
>>>  >>>>>>>>>>>>>>>> resource owner
>>>  >>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>> well AFAIK the resource owner doesn’t register clients…
>>>  >>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>> roles can collapse in use cases especially when using
>>> dynamic client
>>>  >>>>>>>>>>>>>> registration
>>>  >>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>> and the negative case is returning an error to that
>>> same URL.
>>>  >>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>> the difference is the consent screen… in the positive
>>> case you need
>>>  >>>>>>>>>>>>>>> to approve an app.. for the error case no approval is
>>> needed,,,
>>>  >>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>> I fail to see the open redirect.
>>>  >>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>> why?
>>>  >>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>> because the client and thus the fixed URL are explicitly
>>> approved at
>>>  >>>>>>>>>>>>>> some point
>>>  >>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>> Hans.
>>>  >>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>> Hans.
>>>  >>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>> On 9/3/14, 6:56 PM, Antonio Sanso wrote:
>>>  >>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>> On Sep 3, 2014, at 6:51 PM, Hans Zandbelt
>>>  >>>>>>>>>>>>>>>>> <hzandbelt@pingidentity.com
>>> <mailto:hzandbelt@pingidentity.com>
>>>  >>>>>>>>>>>>>>>>> <mailto:hzandbelt@pingidentity.com>> wrote:
>>>  >>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>> Let me try and approach this from a different angle:
>>> why would you
>>>  >>>>>>>>>>>>>>>>>> call it an open redirect when an invalid scope is
>>> provided and
>>>  >>>>>>>>>>>>>>>>>> call it
>>>  >>>>>>>>>>>>>>>>>> correct protocol behavior (hopefully) when a valid
>>> scope is
>>>  >>>>>>>>>>>>>>>>>> provided?
>>>  >>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>> as specified below in the positive case (namely when
>>> the correct
>>>  >>>>>>>>>>>>>>>>> scope
>>>  >>>>>>>>>>>>>>>>> is provided) the resource owner MUST approve the app
>>> via the consent
>>>  >>>>>>>>>>>>>>>>> screen (at least once).
>>>  >>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>> Hans.
>>>  >>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>> On 9/3/14, 6:46 PM, Antonio Sanso wrote:
>>>  >>>>>>>>>>>>>>>>>>> hi John,
>>>  >>>>>>>>>>>>>>>>>>> On Sep 3, 2014, at 6:14 PM, John Bradley
>>> <ve7jtb@ve7jtb.com
>>>  >>>>>>>>>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com>
>>>  >>>>>>>>>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com>
>>>  >>>>>>>>>>>>>>>>>>> <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>> In the example the redirect_uri is vlid for the
>>> attacker.
>>>  >>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>> The issue is that the AS may be allowing client
>>> registrations with
>>>  >>>>>>>>>>>>>>>>>>>> arbitrary redirect_uri.
>>>  >>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>> In the spec it is unspecified how a AS validates
>>> that a client
>>>  >>>>>>>>>>>>>>>>>>>> controls the redirect_uri it is registering.
>>>  >>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>> I think that if anything it may be the
>>> registration step that
>>>  >>>>>>>>>>>>>>>>>>>> needs
>>>  >>>>>>>>>>>>>>>>>>>> the security consideration.
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>> (this is the first time :p) but I do disagree with
>>> you. It would be
>>>  >>>>>>>>>>>>>>>>>>> pretty unpractical to block this at registration
>>> time….
>>>  >>>>>>>>>>>>>>>>>>> IMHO the best approach is the one taken from
>>> Google, namely
>>>  >>>>>>>>>>>>>>>>>>> returning
>>>  >>>>>>>>>>>>>>>>>>> 400 with the cause of the error..
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>> *400.* That’s an error.
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>> *Error: invalid_scope*
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>> Some requested scopes were invalid. {invalid=[l]}
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>> said that I hope you all agree this is an issue in
>>> the spec so
>>>  >>>>>>>>>>>>>>>>>>> far….
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>> regards
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>> antonio
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>> John B.
>>>  >>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>> On Sep 3, 2014, at 12:10 PM, Bill Burke
>>> <bburke@redhat.com
>>>  >>>>>>>>>>>>>>>>>>>> <mailto:bburke@redhat.com>
>>>  >>>>>>>>>>>>>>>>>>>> <mailto:bburke@redhat.com>
>>>  >>>>>>>>>>>>>>>>>>>> <mailto:bburke@redhat.com>> wrote:
>>>  >>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>> I don't understand.  The redirect uri has to be
>>> valid in
>>>  >>>>>>>>>>>>>>>>>>>>> order for a
>>>  >>>>>>>>>>>>>>>>>>>>> redirect to happen.  The spec explicitly states
>>> this.
>>>  >>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> On 9/3/2014 11:43 AM, Antonio Sanso wrote:
>>>  >>>>>>>>>>>>>>>>>>>>>> hi *,
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> IMHO providers that strictly follow rfc6749 are
>>> vulnerable
>>>  >>>>>>>>>>>>>>>>>>>>>> to open
>>>  >>>>>>>>>>>>>>>>>>>>>> redirect.
>>>  >>>>>>>>>>>>>>>>>>>>>> Let me explain, reading [0]
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> If the request fails due to a missing, invalid,
>>> or mismatching
>>>  >>>>>>>>>>>>>>>>>>>>>> redirection URI, or if the client identifier is
>>> missing or
>>>  >>>>>>>>>>>>>>>>>>>>>> invalid,
>>>  >>>>>>>>>>>>>>>>>>>>>> the authorization server SHOULD inform the
>>> resource owner of the
>>>  >>>>>>>>>>>>>>>>>>>>>> error and MUST NOT automatically redirect the
>>> user-agent to the
>>>  >>>>>>>>>>>>>>>>>>>>>> invalid redirection URI.
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> If the resource owner denies the access request
>>> or if the
>>>  >>>>>>>>>>>>>>>>>>>>>> request
>>>  >>>>>>>>>>>>>>>>>>>>>> fails for reasons other than a missing or
>>> invalid
>>>  >>>>>>>>>>>>>>>>>>>>>> redirection URI,
>>>  >>>>>>>>>>>>>>>>>>>>>> the authorization server informs the client by
>>> adding the
>>>  >>>>>>>>>>>>>>>>>>>>>> following
>>>  >>>>>>>>>>>>>>>>>>>>>> parameters to the query component of the
>>> redirection URI
>>>  >>>>>>>>>>>>>>>>>>>>>> using the
>>>  >>>>>>>>>>>>>>>>>>>>>> "application/x-www-form-urlencoded" format,
>>> perAppendix B
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>> <https://tools.ietf.org/html/rfc6749#appendix-B>:
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> Now let’s assume this.
>>>  >>>>>>>>>>>>>>>>>>>>>> I am registering a new client to thevictim.com
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://thevictim.com/>
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://victim.com/><http://victim.com
>>> <http://victim.com/>
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://victim.com/>>
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://victim.com <http://victim.com/>
>>> <http://victim.com/>>
>>>  >>>>>>>>>>>>>>>>>>>>>> provider.
>>>  >>>>>>>>>>>>>>>>>>>>>> I register redirect uriattacker.com
>>> <http://uriattacker.com/>
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://attacker.com/><http://attacker.com
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://attacker.com/> <http://attacker.com/>>
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://attacker.com <http://attacker.com/>
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://attacker.com/>>.
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> According to [0] if I pass e.g. the wrong scope
>>> I am redirected
>>>  >>>>>>>>>>>>>>>>>>>>>> back to
>>>  >>>>>>>>>>>>>>>>>>>>>> attacker.com <http://attacker.com/>
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://attacker.com/><http://attacker.com
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://attacker.com/>
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://attacker.com/>> <http://attacker.com
>>>  >>>>>>>>>>>>>>>>>>>>>> <http://attacker.com/> <http://attacker.com/>>.
>>>  >>>>>>>>>>>>>>>>>>>>>> Namely I prepare a url that is in this form:
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>> http://victim.com/authorize?response_type=code&client_id=bc88FitX1298KPj2WS259BBMa9_KCfL3&scope=WRONG_SCOPE&redirect_uri=http://attacker.com
>>>
>>>
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> and this is works as an open redirector.
>>>  >>>>>>>>>>>>>>>>>>>>>> Of course in the positive case if all the
>>> parameters are
>>>  >>>>>>>>>>>>>>>>>>>>>> fine this
>>>  >>>>>>>>>>>>>>>>>>>>>> doesn’t apply since the resource owner MUST
>>> approve the app
>>>  >>>>>>>>>>>>>>>>>>>>>> via the
>>>  >>>>>>>>>>>>>>>>>>>>>> consent screen (at least once).
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> A solution would be to return error 400 rather
>>> than redirect
>>>  >>>>>>>>>>>>>>>>>>>>>> to the
>>>  >>>>>>>>>>>>>>>>>>>>>> redirect URI (as some provider e.g. Google do)
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> WDYT?
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> regards
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> antonio
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> [0]
>>> https://tools.ietf.org/html/rfc6749#section-4.1.2.1
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>>> _______________________________________________
>>>  >>>>>>>>>>>>>>>>>>>>>> OAuth mailing list
>>>  >>>>>>>>>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>  >>>>>>>>>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>  >>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>> --
>>>  >>>>>>>>>>>>>>>>>>>>> Bill Burke
>>>  >>>>>>>>>>>>>>>>>>>>> JBoss, a division of Red Hat
>>>  >>>>>>>>>>>>>>>>>>>>> http://bill.burkecentral.com
>>> <http://bill.burkecentral.com/>
>>>  >>>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>>> _______________________________________________
>>>  >>>>>>>>>>>>>>>>>>>>> OAuth mailing list
>>>  >>>>>>>>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> <mailto:OAuth@ietf.org>
>>>  >>>>>>>>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>  >>>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>> _______________________________________________
>>>  >>>>>>>>>>>>>>>>>>>> OAuth mailing list
>>>  >>>>>>>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>  >>>>>>>>>>>>>>>>>>>> <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org>
>>>  >>>>>>>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>>> _______________________________________________
>>>  >>>>>>>>>>>>>>>>>>> OAuth mailing list
>>>  >>>>>>>>>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> <mailto:OAuth@ietf.org>
>>>  >>>>>>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>  >>>>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>>>> --
>>>  >>>>>>>>>>>>>>>>>> Hans Zandbelt              | Sr. Technical Architect
>>>  >>>>>>>>>>>>>>>>>> hzandbelt@pingidentity.com
>>> <mailto:hzandbelt@pingidentity.com>
>>>  >>>>>>>>>>>>>>>>>> <mailto:hzandbelt@pingidentity.com>| Ping
>>>  >>>>>>>>>>>>>>>>>> Identity
>>>  >>>>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>>>> --
>>>  >>>>>>>>>>>>>>>> Hans Zandbelt              | Sr. Technical Architect
>>>  >>>>>>>>>>>>>>>> hzandbelt@pingidentity.com
>>> <mailto:hzandbelt@pingidentity.com> |
>>>  >>>>>>>>>>>>>>>> Ping Identity
>>>  >>>>>>>>>>>>>>
>>>  >>>>>>>>>>>>>> --
>>>  >>>>>>>>>>>>>> Hans Zandbelt              | Sr. Technical Architect
>>>  >>>>>>>>>>>>>> hzandbelt@pingidentity.com
>>> <mailto:hzandbelt@pingidentity.com>| Ping
>>>  >>>>>>>>>>>>>> Identity
>>>  >>>>>>>>>>>>
>>>  >>>>>>>>>>>> _______________________________________________
>>>  >>>>>>>>>>>> OAuth mailing list
>>>  >>>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>  >>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>  >>>>>>>>>>
>>>  >>>>>>>>>> --
>>>  >>>>>>>>>> Hans Zandbelt              | Sr. Technical Architect
>>>  >>>>>>>>>> hzandbelt@pingidentity.com | Ping Identity
>>>  >>>>>>>>>
>>>  >>>>>>>>> _______________________________________________
>>>  >>>>>>>>> OAuth mailing list
>>>  >>>>>>>>> OAuth@ietf.org
>>>  >>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>  >>>>>>>>
>>>  >>>>>>>> --
>>>  >>>>>>>> Bill Burke
>>>  >>>>>>>> JBoss, a division of Red Hat
>>>  >>>>>>>> http://bill.burkecentral.com
>>>  >>>>>>>>
>>>  >>>>>>>> _______________________________________________
>>>  >>>>>>>> OAuth mailing list
>>>  >>>>>>>> OAuth@ietf.org
>>>  >>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>  >>>>>>>
>>>  >>>>>>> _______________________________________________
>>>  >>>>>>> OAuth mailing list
>>>  >>>>>>> OAuth@ietf.org
>>>  >>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>  >>>>>>
>>>  >>>>>> --
>>>  >>>>>> Hans Zandbelt              | Sr. Technical Architect
>>>  >>>>>> hzandbelt@pingidentity.com | Ping Identity
>>>  >>>>>
>>>  >>>>> _______________________________________________
>>>  >>>>> OAuth mailing list
>>>  >>>>> OAuth@ietf.org
>>>  >>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>  >>>>
>>>  >>>> _______________________________________________
>>>  >>>> OAuth mailing list
>>>  >>>> OAuth@ietf.org
>>>  >>>> https://www.ietf.org/mailman/listinfo/oauth
>>>  >>
>>>  >
>>>  > _______________________________________________
>>>  > OAuth mailing list
>>>  > OAuth@ietf.org
>>>  > https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

v2.23.0 | Report a Bug | By Email