[Openid-specs-ab] Dynamic Client Registration - Bad Security Recommendation?
Marcos Sanz
sanz at denic.de
Wed Sep 4 14:03:18 UTC 2019
Hi John,
> It is a SHOULD so you can violate it if youhave some other way to
> validate that the site.
>
> Given automatic registration leting someone publish a logo and policy
> from another site that might cause confusion is not ideal.
>
> That is what that part of the spec is trying to avoid.
we definitely agree on that. The point is: is there any other way to make
it better?
Checking that those secondary URIs (logo/policy/whatever) have the same
host as any on the hosts defined in the array of redirect_uris at client
registration time is de facto useless. Actually it'd be better for
instance to check it at the time of the authentication request with the
concrete value of redirect_uri request parameter.
Best,
Marcos
> Nothing stops Auth0 from hosting those URL for tennants.
>
> I agree that there are other ways to spoof who the RP is, so this is not
> a make or break peace of security.
>
> John B.
>
> On 9/2/2019 8:43 AM, Marcos Sanz via Openid-specs-ab wrote:
> > Dear all,
> >
> > at our IdP deployment with an open client registration endpoint we
have
> > implemented the recommendations from the security considerations (
> >
https://openid.net/specs/openid-connect-registration-1_0.html#Impersonation
> > ), specifically:
> >
> > "The Authorization Server SHOULD check to see if the logo_uri and
> > policy_uri have the same host as the hosts defined in the array of
> > redirect_uris. "
> >
> > I am getting some pushback from the clients, who claim that their
assets
> > might come from CDNs, whose URLs usually differ from the callback URL
> > host. Additional feedback from Auth0, with whom I was having this
> > discussion was also that the native type client (= not web) would
require
> > a http://localhost callback anyway, so there this check wouldn’t work
> > anyway very well. Also for cases where there’s an identity broker in
> > between, such as with Auth0, it’s usually not what you want as
developer.
> > Finally, and since more than one redirect_uri can be registered at the
> > IdP, what prevents a malicious client from registering, besides their
real
> > redirect_uri, additional random-hosts-under-attack just to satisfy the
> > aforementioned check, thus rendering it useless?
> >
> > All in all, for me it looks like the spec recomendation is
> > outdated/insufficient/counterproductive. I'd love to hear your
thoughts
> > about that.
> >
> > Best,
> > Marcos
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list