I thought the attack was: put in an attacker redirect uri and an invalid
parameter, auth server fails, redirects to non-validated attacker
redirect uri.
On 4/16/2015 3:06 AM, Stian Thorgersen wrote:
I don't get the attack, he states that:
Now let's assume an attacker:
* Registers a new client to the
victim.com provider.
* Registers a redirect uri like
attacker.com.
If the attacker can register a client with a redirect uri, how is it then an open
redirect?!
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, April 16, 2015 1:31:17 AM
> Subject: Re: [keycloak-dev] Open Redirect Vulnerability
>
> One more thing...
>
> We never redirect unless the redirect URI and client id is validated.
>
> On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
>> Hi,
>>
>> Is KC considering this vulnerability [1] when performing redirects ?
>> Specially for OAuth Clients doing authorization code grant.
>>
>> Regards.
>>
>> [1]
>>
http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o...
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>