Could you please delete my email stop sending emails
On Wed, 22 Apr 2020 at 06:31, Daniel Fett wrote:
> Am 22.04.20 um 15:14 schrieb Pieter Philippaerts:
>
> You could argue that it's already there. Section 4.7.1 says:
>
>
> We also have Section 4.9 on open redirectors:
>
> https://tools.ietf.or
Am 22.04.20 um 15:14 schrieb Pieter Philippaerts:
>
> You could argue that it's already there. Section 4.7.1 says:
>
>
We also have Section 4.9 on open redirectors:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-4.9
-Daniel
__
half of Neil Madden
Sent: Tuesday, April 21, 2020 23:35
To: George Fletcher
Cc: Mike Jones; oauth@ietf.org
Subject: Re: [OAUTH-WG] Caution about open redirectors using the state parameter
I think the correct defence is to validate the URL (eg check against a
whitelist) at the point you are going to re
I think the correct defence is to validate the URL (eg check against a
whitelist) at the point you are going to redirect to it after the OAuth flow
completes, rather than before you begin the OAuth flow.
But this feels like generic web app security advice rather than anything
specific to OAuth
+1
However, we should be careful how we prohibit it... because if the state
value is actually signed, having the URL there isn't a problem as the
attacker can not manipulate the value without breaking the signature.
On 4/20/20 5:28 PM, Mike Jones wrote:
I've seen several circumstances where
I've seen several circumstances where "clever" clients implement an open
redirector by encoding a URL to redirect to in the state parameter value.
Attackers can then utilize this open redirector by choosing a state value.
Can we please add an explicit prohibition of this practice in
draft-ietf
