Diff: draft-bradley-oauth-open-redirector-01.txt - draft-bradley-oauth-open-redirector-02.txt

	< draft-bradley-oauth-open-redirector-01.txt	draft-bradley-oauth-open-redirector-02.txt >

	OAuth Working Group J. Bradley	OAuth Working Group J. Bradley
	Internet-Draft Ping Identity	Internet-Draft Ping Identity
	Intended status: Standards Track A. Sanso, Ed.	Intended status: Standards Track A. Sanso, Ed.

	Expires: September 24, 2015 Adobe Systems	Expires: January 22, 2016 Adobe Systems
	H. Tschofenig	H. Tschofenig

		July 21, 2015
	March 23, 2015

	OAuth 2.0 Security: OAuth Open Redirector	OAuth 2.0 Security: OAuth Open Redirector

	draft-bradley-oauth-open-redirector-01.txt	draft-bradley-oauth-open-redirector-02.txt

	Abstract	Abstract

	This document gives additional security considerations for OAuth,	This document gives additional security considerations for OAuth,
	beyond those in the OAuth 2.0 specification and in the OAuth 2.0	beyond those in the OAuth 2.0 specification and in the OAuth 2.0
	Threat Model and Security Considerations.	Threat Model and Security Considerations.

	Status of This Memo	Status of This Memo

	This Internet-Draft is submitted in full conformance with the	This Internet-Draft is submitted in full conformance with the

	skipping to change at page 1, line 35 ¶	skipping to change at page 1, line 34 ¶
	Internet-Drafts are working documents of the Internet Engineering	Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute	Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-	working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.	Drafts is at http://datatracker.ietf.org/drafts/current/.

	Internet-Drafts are draft documents valid for a maximum of six months	Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any	and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference	time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."	material or to cite them other than as "work in progress."


	This Internet-Draft will expire on September 24, 2015.	This Internet-Draft will expire on January 22, 2016.

	Copyright Notice	Copyright Notice

	Copyright (c) 2015 IETF Trust and the persons identified as the	Copyright (c) 2015 IETF Trust and the persons identified as the
	document authors. All rights reserved.	document authors. All rights reserved.

	This document is subject to BCP 78 and the IETF Trust's Legal	This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents	Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of	(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents	publication of this document. Please review these documents
	carefully, as they describe your rights and restrictions with respect	carefully, as they describe your rights and restrictions with respect
	to this document. Code Components extracted from this document must	to this document. Code Components extracted from this document must
	include Simplified BSD License text as described in Section 4.e of	include Simplified BSD License text as described in Section 4.e of
	the Trust Legal Provisions and are provided without warranty as	the Trust Legal Provisions and are provided without warranty as
	described in the Simplified BSD License.	described in the Simplified BSD License.

	Table of Contents	Table of Contents

	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
	1.1. Notational Conventions . . . . . . . . . . . . . . . . . 2	1.1. Notational Conventions . . . . . . . . . . . . . . . . . 2

	1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3	1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2
	2. Authorization Server Error Response . . . . . . . . . . . . . 3	2. Authorization Server Error Response . . . . . . . . . . . . . 3
	2.1. Abuse: The Authorization Server As Open Redirector . . . 3	2.1. Abuse: The Authorization Server As Open Redirector . . . 3
	2.2. Security Compromise: The Authorization Server As Open	2.2. Security Compromise: The Authorization Server As Open
	Redirector . . . . . . . . . . . . . . . . . . . . . . . 4	Redirector . . . . . . . . . . . . . . . . . . . . . . . 4
	2.3. Mitigation . . . . . . . . . . . . . . . . . . . . . . . 5	2.3. Mitigation . . . . . . . . . . . . . . . . . . . . . . . 5
	3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6	3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
	4. Normative References . . . . . . . . . . . . . . . . . . . . 6	4. Normative References . . . . . . . . . . . . . . . . . . . . 6

	Appendix A. Document History . . . . . . . . . . . . . . . . . . 7	Appendix A. Document History . . . . . . . . . . . . . . . . . . 6
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7

	1. Introduction	1. Introduction

	This document gives additional security considerations for OAuth,	This document gives additional security considerations for OAuth,
	beyond those in the OAuth 2.0 specification [RFC6749] and in the	beyond those in the OAuth 2.0 specification [RFC6749] and in the
	OAuth 2.0 Threat Model and Security Considerations [RFC6819]. In	OAuth 2.0 Threat Model and Security Considerations [RFC6819]. In
	particular focuses its attention on the risk of abuse the	particular focuses its attention on the risk of abuse the
	Authorization Server (AS) (Section 1.2) as an open redirector.	Authorization Server (AS) (Section 1.2) as an open redirector.


	skipping to change at page 6, line 8 ¶	skipping to change at page 5, line 43 ¶
	Section 2.2 the ?AS? can either:	Section 2.2 the ?AS? can either:

	o Respond with an HTTP 400 (Bad Request) status code.	o Respond with an HTTP 400 (Bad Request) status code.

	o Perform a redirect to an intermediate URI under the control of the	o Perform a redirect to an intermediate URI under the control of the
	AS to clear referer information in the browser that may contain	AS to clear referer information in the browser that may contain
	security token information. This page SHOULD provide notice to	security token information. This page SHOULD provide notice to
	the resource owner that an error occurred, and request permission	the resource owner that an error occurred, and request permission
	to redirect them to an external site.	to redirect them to an external site.


	If redirected, the fragment "#_=_" MUST be appended to the error	If redirected, a fragment "#" MUST be appended to the error
	redirect URI. This prevents the browser from reattaching the	redirect URI. This prevents the browser from reattaching the
	fragment from a previous URI to the new location URI.	fragment from a previous URI to the new location URI.


		Some

	When redirecting via 30x a Content Security Policy header SHOULD be	When redirecting via 30x a Content Security Policy header SHOULD be
	added:	added:

	Content-Security-Policy: referrer origin;	Content-Security-Policy: referrer origin;

	Figure 2	Figure 2

	When redirecting via a form post the following tag SHOULD be	When redirecting via a form post the following tag SHOULD be
	included:	included:


	skipping to change at page 6, line 41 ¶	skipping to change at page 6, line 31 ¶

	We would like to thank all the people that partecipated to the	We would like to thank all the people that partecipated to the
	discussion, namely Bill Burke, Hans Zandbelt, Justin P. Richer, Phil	discussion, namely Bill Burke, Hans Zandbelt, Justin P. Richer, Phil
	Hunt, Takahiko Kawasaki, Torsten Lodderstedt, Sergey Beryozkin.	Hunt, Takahiko Kawasaki, Torsten Lodderstedt, Sergey Beryozkin.

	4. Normative References	4. Normative References

	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", BCP 14, RFC 2119, March 1997.	Requirement Levels", BCP 14, RFC 2119, March 1997.


	[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC	[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
	6749, October 2012.	RFC 6749, DOI 10.17487/RFC6749, October 2012,
		<http://www.rfc-editor.org/info/rfc6749>.


	[RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0	[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
	Threat Model and Security Considerations", RFC 6819,	Threat Model and Security Considerations", RFC 6819,

	January 2013.	DOI 10.17487/RFC6819, January 2013,
		<http://www.rfc-editor.org/info/rfc6819>.

	Appendix A. Document History	Appendix A. Document History

	[[ to be removed by the RFC Editor before publication as an RFC ]]	[[ to be removed by the RFC Editor before publication as an RFC ]]

	-01	-01

	o Added information on HTTP headders to include to set referrer to	o Added information on HTTP headders to include to set referrer to
	origin	origin


End of changes. 11 change blocks.
	12 lines changed or deleted	15 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/