Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

> On Dec 17, 2021, at 2:44 PM, Brian Campbell > wrote: > > Relax how aggressively OAuth demands that the AS automatically redirect in > error conditions. And either respond with a 400 directly (which just stops > things at that point) or provide a meaningful interstitial page to the user >

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

Phishing filters can simply handle all OAuth AuthZ request like URLs in emails malicious. > 2021/12/18 6:45、Brian Campbell > のメール: > >  > Yeah, I think it has been discussed before. And if I'm understanding > correctly, it is unfortunately a tricky area. It sounds like more or less the > sam

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

Yeah, I think it has been discussed before. And if I'm understanding correctly, it is unfortunately a tricky area. It sounds like more or less the same thing as "Abuse: The Authorization Server As Open Redirector"

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

AFAIK this topic has been discussed before, e.g.: https://mailarchive.ietf.org/arch/msg/oauth/gIuIrxeXudRBg8L6RYGDElxrc4s/ Hans. On Fri, Dec 17, 2021 at 9:44 PM Pieter Kasselman wrote: > The problem isn’t invalid URLs but malicious ones. Given a choice between > a sub-optimal user experience an

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

The problem isn't invalid URLs but malicious ones. Given a choice between a sub-optimal user experience and a phished end-user, perhaps an option that allows the authorization server to handle the error, rather than redirecting can serve end-users better. But as Vittorio points, out, there are p

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

You want to redirect on some errors because the last thing an AS wants is to leave the user in the AS because the user can't do anything there and the AS can't do anything either. It's just bad UX. But if the redirect url isn't valid, this is absolutely the time that the AS should keep the user the

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

Agreed that the attackers goal is to bypass phishing filters and they found a way to achieve this by using an IdP that adheres to the standards. I don't have the context for the design choice to redirect on an error condition, but am curious why the IdP should not be allowed to handle the error

Re: [OAUTH-WG] OAuth Redirection Attacks

The attack doesn't rely on redirecting to unregistered URLs, that's the problem. The goal of the attack is to circumvent phishing filters, by presenting a URL from a legitimate domain (the AS) that eventually redirects to the actual phishing URL. The actual phishing page doesn't need to target the

Re: [OAUTH-WG] OAuth Redirection Attacks

I think this just falls into the category of never redirect the user to a url that doesn't match one of the preregistered redirect urls (or logout urls for that matter). Any application that has redirects anywhere provides an opportunity for this attack vector, OAuth isn't unique in that way, it ju