[Openid-specs-ab] Dynamic Client Registration - Bad Security Recommendation?

John Bradley ve7jtb at ve7jtb.com
Tue Sep 3 15:16:10 UTC 2019 

It is a SHOULD so you can violate it if youhave some other way to 
validate that the site.

Given automatic registration leting someone publish a logo and policy 
from another site that might cause confusion is not ideal.

That is what that part of the spec is trying to avoid.

Nothing stops Auth0 from hosting those URL for tennants.

I agree that there are other ways to spoof who the RP is, so this is not 
a make or break peace of security.

John B.

On 9/2/2019 8:43 AM, Marcos Sanz via Openid-specs-ab wrote:
> Dear all,
>
> at our IdP deployment with an open client registration endpoint we have
> implemented the recommendations from the security considerations (
> https://openid.net/specs/openid-connect-registration-1_0.html#Impersonation
> ), specifically:
>
> "The Authorization Server SHOULD check to see if the logo_uri and
> policy_uri have the same host as the hosts defined in the array of
> redirect_uris. "
>
> I am getting some pushback from the clients, who claim that their assets
> might come from CDNs, whose URLs usually differ from the callback URL
> host. Additional feedback from Auth0, with whom I was having this
> discussion was also that the native type client (= not web) would require
> a http://localhost callback anyway, so there this check wouldn’t work
> anyway very well. Also for cases where there’s an identity broker in
> between, such as with Auth0, it’s usually not what you want as developer.
> Finally, and since more than one redirect_uri can be registered at the
> IdP, what prevents a malicious client from registering, besides their real
> redirect_uri, additional random-hosts-under-attack just to satisfy the
> aforementioned check, thus rendering it useless?
>
> All in all, for me it looks like the spec recomendation is
> outdated/insufficient/counterproductive. I'd love to hear your thoughts
> about that.
>
> Best,
> Marcos
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list