The issues around redirect_uri seem muddled to me. Here's what I know right now:
Brian Eaton apparently said: >This provides a defense against authorization codes which have leaked due to >open redirectors. I looked for "redirector" in http://tools.ietf.org/html//draft-lodderstedt-oauth-security-01 which is apparently the latest draft of the security considerations document. The only mention is in section 4.2.4 under "Threat: Open redirector", which I can quote in full: An attacker could use the end-user authorization endpoint and the redirect_uri parameter to abuse the authorization server as redirector. Impact? Countermeasure o don't redirect to redirect_uri, if client identity or redirect_uri could not be verified I don't know what this means. The word "abuse" is vague, and the "Impact" section is blank. At least in the bearer token version of the protocol, I believe we do all of our redirecting before verifying the client identity, so I don't see how we can know whether the client identity can be verified when we're deciding whether to redirect. It would help to have a specific sequence of events that is undesired. I can't tell if this only mention of "redirector" in Torsten Lodderstedt's document matches what Brian was talking about. I talked some about whether we need the redirect_uri at: http://www.ietf.org/mail-archive/web/oauth/current/msg05733.html Judging by the "Next by thread" link on that page, nobody replied to this. I do not think the failure scenario I described involves an open redirector, so I think the problem I described (if the redirect_uri is not checked) is different from Brian's. I haven't read the security considerations document carefully enough to know whether the failure scenario I described appears in it. From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Eaton Sent: Saturday, April 30, 2011 2:29 PM To: Doug Tangren Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] requirement of redirect_uri in access token requests On Fri, Apr 29, 2011 at 11:21 AM, Doug Tangren <d.tang...@gmail.com<mailto:d.tang...@gmail.com>> wrote: Is this required or not? In the example http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-3.1 it's listed in the example but not itemized as optional or required. It's not in the example for refreshing tokens http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-6 though that section links back to section 3.1 which does use a redirect_uri in the example. Should the redirect_uri be a requirement for client authentication or is it optional? It should be required when exchanging an authorization code for a refresh token. This provides a defense against authorization codes which have leaked due to open redirectors. It should not be present under other circumstances.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
