3:57 p.m.
Hi,
Is KC considering this vulnerability [1] when performing redirects ? Specially for
OAuth Clients doing authorization code grant.
Regards.
[1] http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o...
6:30 p.m.
Just looked, we redirect to an error page.
On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
Hi,
Is KC considering this vulnerability [1] when performing redirects ? Specially for
OAuth Clients doing authorization code grant.
Regards.
[1]
http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o...
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
6:31 p.m.
One more thing...
We never redirect unless the redirect URI and client id is validated.
On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
Hi,
Is KC considering this vulnerability [1] when performing redirects ? Specially for
OAuth Clients doing authorization code grant.
Regards.
[1]
http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o...
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
2:06 a.m.
I don't get the attack, he states that:
Now let's assume an attacker:
* Registers a new client to the victim.com provider.
* Registers a redirect uri like attacker.com.
If the attacker can register a client with a redirect uri, how is it then an open
redirect?!
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, April 16, 2015 1:31:17 AM
Subject: Re: [keycloak-dev] Open Redirect Vulnerability
One more thing...
We never redirect unless the redirect URI and client id is validated.
On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
> Hi,
>
> Is KC considering this vulnerability [1] when performing redirects ?
> Specially for OAuth Clients doing authorization code grant.
>
> Regards.
>
> [1]
>
http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o...
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:35 a.m.
Yep, but that is pretty much about tricking users. For instance, a malicious client could
utilize a user's trust in your authorization server to launch a phishing attack.
Bill already stated that KC redirects to an internal error page instead of redirecting to
client when some error occurs (eg.: invalid client_id or redirect uri). Which is one of
the most important recommendations [1]. The URI is also validated using the full
redirection uri, not only part of it.
Google also provides some restrictions when defining redirect URIs. For instance, you
can't use fragments.
[1] https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-08
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, April 16, 2015 4:06:16 AM
Subject: Re: [keycloak-dev] Open Redirect Vulnerability
I don't get the attack, he states that:
Now let's assume an attacker:
* Registers a new client to the victim.com provider.
* Registers a redirect uri like attacker.com.
If the attacker can register a client with a redirect uri, how is it then an open
redirect?!
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, April 16, 2015 1:31:17 AM
Subject: Re: [keycloak-dev] Open Redirect Vulnerability
One more thing...
We never redirect unless the redirect URI and client id is validated.
On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
> Hi,
>
> Is KC considering this vulnerability [1] when performing redirects ?
> Specially for OAuth Clients doing authorization code grant.
>
> Regards.
>
> [1]
>
http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o...
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:52 a.m.
Thinking about it some more the reason I didn't get it is because it's not
applicable to Keycloak because we don't allow anyone to register a client. Only admins
are allowed to create clients in Keycloak, so a client is a trusted entity.
If it's possible to register untrusted clients, like it is for any social provider (or
SaaS service), this becomes a problem. It doesn't have anything to do with verifying
the redirect-uri, because you still set a valid redirect-uri. Even worse it's actually
a problem with the spec itself as the post says. For any error except a redirect-uri
related error it should redirect back to the application. That could be an invalid
response_type, invalid_scope, etc..
Google doesn't actually follow the spec as they display an error page for
invalid_scope instead of redirecting back to the client.
If we have implement support for anyone to register clients in Keycloak, we need to do the
same. If it's a "untrusted client" never redirect to client in case of an
error. The rule could be if it requires consent, display error page, if it doesn't
require consent redirect to app.
----- Original Message -----
From: "Pedro Igor Silva" <psilva(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-dev(a)lists.jboss.org
Sent: Thursday, April 16, 2015 3:35:36 PM
Subject: Re: [keycloak-dev] Open Redirect Vulnerability
Yep, but that is pretty much about tricking users. For instance, a malicious
client could utilize a user's trust in your authorization server to launch a
phishing attack.
Bill already stated that KC redirects to an internal error page instead of
redirecting to client when some error occurs (eg.: invalid client_id or
redirect uri). Which is one of the most important recommendations [1]. The
URI is also validated using the full redirection uri, not only part of it.
Google also provides some restrictions when defining redirect URIs. For
instance, you can't use fragments.
[1] https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-08
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, April 16, 2015 4:06:16 AM
Subject: Re: [keycloak-dev] Open Redirect Vulnerability
I don't get the attack, he states that:
Now let's assume an attacker:
* Registers a new client to the victim.com provider.
* Registers a redirect uri like attacker.com.
If the attacker can register a client with a redirect uri, how is it then an
open redirect?!
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, April 16, 2015 1:31:17 AM
> Subject: Re: [keycloak-dev] Open Redirect Vulnerability
>
> One more thing...
>
> We never redirect unless the redirect URI and client id is validated.
>
> On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
> > Hi,
> >
> > Is KC considering this vulnerability [1] when performing redirects ?
> > Specially for OAuth Clients doing authorization code grant.
> >
> > Regards.
> >
> > [1]
> >
http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o...
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:57 a.m.
I thought the attack was: put in an attacker redirect uri and an invalid
parameter, auth server fails, redirects to non-validated attacker
redirect uri.
On 4/16/2015 3:06 AM, Stian Thorgersen wrote:
I don't get the attack, he states that:
Now let's assume an attacker:
* Registers a new client to the victim.com provider.
* Registers a redirect uri like attacker.com.
If the attacker can register a client with a redirect uri, how is it then an open
redirect?!
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, April 16, 2015 1:31:17 AM
> Subject: Re: [keycloak-dev] Open Redirect Vulnerability
>
> One more thing...
>
> We never redirect unless the redirect URI and client id is validated.
>
> On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
>> Hi,
>>
>> Is KC considering this vulnerability [1] when performing redirects ?
>> Specially for OAuth Clients doing authorization code grant.
>>
>> Regards.
>>
>> [1]
>>
http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o...
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:51 p.m.
Another scenario is AS partially validating the redirect uri. For instance,
http://somesite.com/attacker.
If the registered redirect uri is just http://somesite.com and the AS is not checking its
full format, it may consider that the uri above is valid. What is also covered by KC, so
no problem here as well.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, April 16, 2015 12:57:02 PM
Subject: Re: [keycloak-dev] Open Redirect Vulnerability
I thought the attack was: put in an attacker redirect uri and an invalid
parameter, auth server fails, redirects to non-validated attacker
redirect uri.
On 4/16/2015 3:06 AM, Stian Thorgersen wrote:
I don't get the attack, he states that:
Now let's assume an attacker:
* Registers a new client to the victim.com provider.
* Registers a redirect uri like attacker.com.
If the attacker can register a client with a redirect uri, how is it then an open
redirect?!
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, April 16, 2015 1:31:17 AM
> Subject: Re: [keycloak-dev] Open Redirect Vulnerability
>
> One more thing...
>
> We never redirect unless the redirect URI and client id is validated.
>
> On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
>> Hi,
>>
>> Is KC considering this vulnerability [1] when performing redirects ?
>> Specially for OAuth Clients doing authorization code grant.
>>
>> Regards.
>>
>> [1]
>>
http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o...
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
12:05 a.m.
This attack assumes that it's a valid client and the redirect uri is valid. It's
about untrusted clients being able to bypass user consent by adding expected errors.
Google lets anyone register a client so you can register attack.com as a client and the
redirect will be perfectly valid. What Google does differently to Facebook is that they
don't redirect to the client in an error, so the user will always see a grant page.
While Facebook if you enter the wrong scope will redirect to attack.som without showing a
consent screen.
We should make sure that Keycloak never redirects to a client that requires consent from
the user without user input. Including if there's an error (for example invalid
grant_type) and the client requires consent we display a page stating there was an error
with a link continue to application. Once a user has consented to a client (persisted
grants exists for the user-client) we can redirect to the client as the user has now
trusted the client.
----- Original Message -----
From: "Pedro Igor Silva" <psilva(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: "Stian Thorgersen" <stian(a)redhat.com>, keycloak-dev(a)lists.jboss.org
Sent: Thursday, April 16, 2015 7:51:37 PM
Subject: Re: [keycloak-dev] Open Redirect Vulnerability
Another scenario is AS partially validating the redirect uri. For instance,
http://somesite.com/attacker.
If the registered redirect uri is just http://somesite.com and the AS is not
checking its full format, it may consider that the uri above is valid. What
is also covered by KC, so no problem here as well.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, April 16, 2015 12:57:02 PM
Subject: Re: [keycloak-dev] Open Redirect Vulnerability
I thought the attack was: put in an attacker redirect uri and an invalid
parameter, auth server fails, redirects to non-validated attacker
redirect uri.
On 4/16/2015 3:06 AM, Stian Thorgersen wrote:
> I don't get the attack, he states that:
>
> Now let's assume an attacker:
> * Registers a new client to the victim.com provider.
> * Registers a redirect uri like attacker.com.
>
> If the attacker can register a client with a redirect uri, how is it then
> an open redirect?!
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, April 16, 2015 1:31:17 AM
>> Subject: Re: [keycloak-dev] Open Redirect Vulnerability
>>
>> One more thing...
>>
>> We never redirect unless the redirect URI and client id is validated.
>>
>> On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
>>> Hi,
>>>
>>> Is KC considering this vulnerability [1] when performing redirects
>>> ?
>>> Specially for OAuth Clients doing authorization code grant.
>>>
>>> Regards.
>>>
>>> [1]
>>>
http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-o...
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3561
days inactive
3563
days old
8 comments
3 participants
participants (3)
-
Bill Burke -
Pedro Igor Silva -
Stian Thorgersen