Yep, but that is pretty much about tricking users. For instance, a malicious client could
utilize a user's trust in your authorization server to launch a phishing attack.
Bill already stated that KC redirects to an internal error page instead of redirecting to
client when some error occurs (eg.: invalid client_id or redirect uri). Which is one of
the most important recommendations [1]. The URI is also validated using the full
redirection uri, not only part of it.
Google also provides some restrictions when defining redirect URIs. For instance, you
can't use fragments.
[1]
https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-08
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, April 16, 2015 4:06:16 AM
Subject: Re: [keycloak-dev] Open Redirect Vulnerability
I don't get the attack, he states that:
Now let's assume an attacker:
* Registers a new client to the
victim.com provider.
* Registers a redirect uri like
attacker.com.
If the attacker can register a client with a redirect uri, how is it then an open
redirect?!
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, April 16, 2015 1:31:17 AM
Subject: Re: [keycloak-dev] Open Redirect Vulnerability
One more thing...
We never redirect unless the redirect URI and client id is validated.
On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
> Hi,
>
> Is KC considering this vulnerability [1] when performing redirects ?
> Specially for OAuth Clients doing authorization code grant.
>
> Regards.
>
> [1]
>
http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o...
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev