I think the correct defence is to validate the URL (eg check against a whitelist) at the point you are going to redirect to it after the OAuth flow completes, rather than before you begin the OAuth flow.
But this feels like generic web app security advice rather than anything specific to OAuth - always validate URLs before performing a redirect. Neil > On 21 Apr 2020, at 20:28, George Fletcher > <gffletch=40aol....@dmarc.ietf..org> wrote: > > +1 > > However, we should be careful how we prohibit it... because if the state > value is actually signed, having the URL there isn't a problem as the > attacker can not manipulate the value without breaking the signature. > >> On 4/20/20 5:28 PM, Mike Jones wrote: >> I've seen several circumstances where "clever" clients implement an open >> redirector by encoding a URL to redirect to in the state parameter value. >> Attackers can then utilize this open redirector by choosing a state value. >> >> Can we please add an explicit prohibition of this practice in >> draft-ietf-oauth-security-topics? >> >> Thanks, >> -- Mike >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
