proposal/discussion: OAuth - separate requirement for redirect_uri string-match registration and handling

Question

proposal/discussion: OAuth - separate requirement for redirect_uri string-match registration and handling

elarlang opened this issue a month ago · comments

spin-off from #1916 "Discussion/Proposal 3"

Probably I was the first one to say that redirect_uri validation is a duplicate of general open-redirect but now I think it's important to have them as a separate requirement:

redirect_uri must be validated with the string-match method, which means no "wildcard" validations.

There are 2 parts:

Authorization Server must not accept anything else than (one of) the precise URL from the pre-registered list
As a precondition: the OAuth Client must not send business logic URL to the Authorization Server. It is pretty much the same as Referrer leakage.

--
Feedback from @tghosth in #1916 (comment)

Suggest you propose an updated/added requirement.

Jim Manico · Answer 1 · Mon May 20 2024 19:43:14 GMT+0800 (China Standard Time)

Probably I was the first one to say that redirect_uri validation is a duplicate of general open-redirect but now I think it's important to have them as a separate requirement:

I agree here, Elar. FYI: Redirect flows (login, etc) are often less likely to be amendable to allow-list validation than OAuth flows.

Ralph Andalis · Answer 2 · Fri May 24 2024 13:16:30 GMT+0800 (China Standard Time)

@elarlang, is this being addressed by my latest PR #1971? Or am I missing something about it?

Elar Lang · Answer 3 · Fri May 24 2024 16:39:44 GMT+0800 (China Standard Time)

Hi @csfreak92 , let's find the agreement first in the issue and do PR. Discussion over PR's its complicated to follow.

We also need to think, should we have one common requirement for OAuth and OIDC or not.

I prefer requirement text with the idea like:

Verify that Authorisation Server accepts the redirect uri value from the Client that belongs to the pre-registered list of allowed values using the string-match method, e.g. wildcards are not in use.

Ralph Andalis · Answer 4 · Sat May 25 2024 04:55:40 GMT+0800 (China Standard Time)

Understood, but I just pushed my PR since it has been sitting in my local for a while and I thought better to have it out there than get lost somewhere as I have worked on it the past few months. :)

Can we agree over discussion and if they are already covered in the PR then that's good and then if not or needs some modifications, then I would modify them as needed?

Ralph Andalis · Answer 5 · Wed Jun 05 2024 18:26:38 GMT+0800 (China Standard Time)

Verify that Authorization Server accepts the redirect URI value from the Client that belongs to the pre-registered list of allowed values using the string-match method, e.g. wildcards are not in use.

@elarlang, I like this text though, sorry missed it. How would a pre-registered list of allowed values be handled? Should we add a text in the chapter/section how this should be done? Also, string-match method seems like regex, right?

Elar Lang · Answer 6 · Wed Jun 05 2024 18:39:39 GMT+0800 (China Standard Time)

How would a pre-registered list of allowed values be handled? Should we add a text in the chapter/section how this should be done?

I don't think we need to provide guidance for OAuth Client configuration.

Also, string-match method seems like regex, right?

No, it's the opposite. string-match against pre-registered list of full values says that you should not use any regex, substring, wildcard, etc. Provided redirect_uri value must exists in the pre-registered addresses list as it is.