<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">I think it's going to be so specific to
each RP that there's nothing we can codify in the spec that will
be universal enough to work. We probably should have had more
guidance as to what good checking mechanisms could be. Off the top
of my head:<br>
<br>
1) Strict full-string matching of whitelisted URLs at the RP<br>
2) Strict prefix matching based on RP's root (good for
single-site logins, for instance)<br>
3) Domain-based matching (good for clustered applications, where
the "login" gateway box might be one of many hosts)<br>
4) Regex or other pattern based matching<br>
<br>
All of these have to be checked by the RP, not the OP, so unless
we want to pick one and only one of those cases we can't have the
OP checking for all possible RPs as well.<br>
<br>
-- Justin<br>
<br>
<br>
On 6/15/2014 7:34 PM, Mike Jones wrote:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B16804296739439AD6F957@TK5EX14MBXC292.redmond.corp.microsoft.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
noticed that, even in the OP-initiated case (which is a
special case of the general 3<sup>rd</sup> party-initiated
case), we don’t define any discovery parameters that the OP
can use to declare a legal list of </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">target_link_uri<span
class="apple-converted-space"><span style="color:#0070C0"> </span></span></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
values. (This would be somewhat similar in purpose to the
list of redirect_uris that a client declares in its
registration.) Should we have done that?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">In
your note below, I don’t see any general-purpose mechanism
that RPs could commit to code to prevent open redirection
via the
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">target_link_uri<span
class="apple-converted-space"><span style="color:#0070C0"> </span></span></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
when general 3<sup>rd</sup> party-initiated login is used.
Am I missing something, or are we missing something in this
regard in the specs?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a class="moz-txt-link-freetext" href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Friday, June 13, 2014 3:58 PM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> Roland Hedberg;
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Questions about
third party initiated login<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The redirect URI needs to be checked that
it is inside the domain that the Client is willing to redirect
to. Typically this is some known landing page or deep link.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This sort of functionality is similar to
Shibboleth target or SAML 2.0 RelayState in IdP-Initiated
SSO.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">After a successful authentication The
client needs to create a session and redirect the user agent
to the target_link_uri. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Typically a Client might use state to
store the target_link_uri in the Authorization request. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Clients that support his also need to
preform some sort of sanity check on the target_link_uri,
and never redirect without a positive authentication
response.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">An attacker can always modify state as it
is not signed in the request. Generating a forged failed
response can trick some SP/Clients into redirecting and that
needs to be blocked.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">That was one of the reasons I created. <a
moz-do-not-send="true"
href="http://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state">http://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">As a way that a Client can prevent
tampering with the target_uri (now that I think about it,
target_link_uri might be a better name to be consistent
with Connect)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It may be that using signed state
directly from the IdP may be a simpler solution to the
problem of IdP initiated login saving a number of round
trips for the most common case.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For 3rd party the way we have it in the
spec with the 3rd party initiating the flow at the client
and the client being responsible for protecting the user and
itself from forged authentication requests.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Jun 11, 2014, at 3:58 PM, Mike
Jones <<a moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">Hi
Roland. My replies are inline. I’ve cc’ed the
mailing list to allow others to comment on my
responses – especially the response about verifying
the<span class="apple-converted-space"> </span></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">target_link_uri<span
class="apple-converted-space"><span
style="color:#0070C0"> </span></span><span
style="color:#0070C0">value to prevent it from
being an open redirector, which I’d like to hear
other’s thoughts on.</span><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-----Original
Message-----<br>
From: Roland Hedberg [<a moz-do-not-send="true"
href="mailto:roland.hedberg@adm.umu.se"><span
style="color:purple">mailto:roland.hedberg@adm.umu.se</span></a>]<span
class="apple-converted-space"> </span><br>
Sent: Tuesday, June 10, 2014 11:03 PM<br>
To: Mike Jones<br>
Subject: Re: Notes from our interop conversation<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Hi
Mike,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">looked
some more at the third party (OP) initiated login.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">A
couple of questions:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-
target_link_uri redirect to after authentication.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">does
that mean that no access token request are performed
by the RP, just the authentication/authorization
request.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Sounds
reasonable since this is only about authentication,
right ?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">There’s
intentionally nothing special about the
authentication behavior when the RP sends an
authentication request after receiving a third party
initiated login request. The OP should do whatever
it normally does, given the request parameters used
(such as the response_type, the scope values, the
“claims” values, etc.). That will include returning
an access token for most response_type values.
Also, the RP is free to use the access token to
obtain claims from the UserInfo endpoint, if it
desires, before redirecting to the<span
class="apple-converted-space"> </span></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">target_link_uri<span
class="apple-converted-space"><span
style="color:#0070C0"> </span></span><span
style="color:#0070C0">location.</span><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-
the RP MUST verify the target_link_uri. What does
this mean ?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">That’s
a REALLY GOOD QUESTION. I don’t know what check the
RP should apply to the<span
class="apple-converted-space"> </span></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">target_link_uri<span
class="apple-converted-space"><span
style="color:#0070C0"> </span></span><span
style="color:#0070C0">value to prevent it from
being used as an open redirector. My first
instinct was that it should check it against a
list of values provided by the OP in its discovery
document, but there are no such values defined,
and in fact, the initiator doesn’t have to be an
OP. John, you wrote this language, I believe.
What did you have in mind here?</span><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">When
the user is redirected back to the target_link_uri
is there anything attached to that, like an
id_token.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">No</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">What
are the error messages if any ?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">No
extra ones are defined. Given that the
authentication requests/responses are the normal
ones, no additional errors are needed for those.
The redirects either succeed or fail, with normal
browser errors happening on failure.</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">And
finally, if RPs support third party login that could
actually be used to test some of the RPs
functionality.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I
could use the login_hint to carry testing
information. Sneaky I know but .. :-)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">Good
idea.<span class="apple-converted-space"> </span></span><span
style="font-size:11.0pt;font-family:Wingdings;color:#0070C0">J</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">--
Roland<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">"Education
is the path from cocky ignorance to miserable
uncertainty.” - Mark Twain<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">
--
Mike</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"><span
style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"><span
style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>