[keycloak-dev] Open Redirect Vulnerability

Pedro Igor Silva psilva at redhat.com
Thu Apr 16 09:35:36 EDT 2015 

Yep, but that is pretty much about tricking users. For instance, a malicious client could utilize a user's trust in your authorization server to launch a phishing attack.

Bill already stated that KC redirects to an internal error page instead of redirecting to client when some error occurs (eg.: invalid client_id or redirect uri). Which is one of the most important recommendations [1]. The URI is also validated using the full redirection uri, not only part of it.

Google also provides some restrictions when defining redirect URIs. For instance, you can't use fragments.

[1] https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-08

----- Original Message -----
From: "Stian Thorgersen" <stian at redhat.com>
To: "Bill Burke" <bburke at redhat.com>
Cc: keycloak-dev at lists.jboss.org
Sent: Thursday, April 16, 2015 4:06:16 AM
Subject: Re: [keycloak-dev] Open Redirect Vulnerability

I don't get the attack, he states that:

  Now let's assume an attacker:
   * Registers a new client to the victim.com provider.
   * Registers a redirect uri like attacker.com.

If the attacker can register a client with a redirect uri, how is it then an open redirect?!

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, April 16, 2015 1:31:17 AM
> Subject: Re: [keycloak-dev] Open Redirect Vulnerability
> 
> One more thing...
> 
> We never redirect unless the redirect URI and client id is validated.
> 
> On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
> > Hi,
> >
> >      Is KC considering this vulnerability [1] when performing redirects ?
> >      Specially for OAuth Clients doing authorization code grant.
> >
> > Regards.
> >
> > [1]
> > http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list