<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>The OP won't see the target URL at all, unless it is creating the request, and those are not the ones to worry about. The problematic ones are not going to be coming from the IdP but rater third parties. </div><div><br></div><div>The alternate method I came up with has the advantage of the client only taking requests from the IdP. This is however a disadvantage if you really want a 3rd party initiation. <br><br>Sent from my iPhone</div><div><br>On Jun 15, 2014, at 8:11 PM, Justin Richer <<a href="mailto:jricher@MIT.EDU">jricher@MIT.EDU</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div class="moz-cite-prefix">I think it's going to be so specific to
each RP that there's nothing we can codify in the spec that will
be universal enough to work. We probably should have had more
guidance as to what good checking mechanisms could be. Off the top
of my head:<br>
<br>
1) Strict full-string matching of whitelisted URLs at the RP<br>
2) Strict prefix matching based on RP's root (good for
single-site logins, for instance)<br>
3) Domain-based matching (good for clustered applications, where
the "login" gateway box might be one of many hosts)<br>
4) Regex or other pattern based matching<br>
<br>
All of these have to be checked by the RP, not the OP, so unless
we want to pick one and only one of those cases we can't have the
OP checking for all possible RPs as well.<br>
<br>
-- Justin<br>
<br>
<br>
On 6/15/2014 7:34 PM, Mike Jones wrote:<br>
</div>
<blockquote cite="mid:4E1F6AAD24975D4BA5B16804296739439AD6F957@TK5EX14MBXC292.redmond.corp.microsoft.com" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
noticed that, even in the OP-initiated case (which is a
special case of the general 3<sup>rd</sup> party-initiated
case), we don’t define any discovery parameters that the OP
can use to declare a legal list of </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">target_link_uri<span class="apple-converted-space"><span style="color:#0070C0"> </span></span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
values. (This would be somewhat similar in purpose to the
list of redirect_uris that a client declares in its
registration.) Should we have done that?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">In
your note below, I don’t see any general-purpose mechanism
that RPs could commit to code to prevent open redirection
via the
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">target_link_uri<span class="apple-converted-space"><span style="color:#0070C0"> </span></span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
when general 3<sup>rd</sup> party-initiated login is used.
Am I missing something, or are we missing something in this
regard in the specs?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a class="moz-txt-link-freetext" href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Friday, June 13, 2014 3:58 PM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> Roland Hedberg;
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Questions about
third party initiated login<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The redirect URI needs to be checked that
it is inside the domain that the Client is willing to redirect
to. Typically this is some known landing page or deep link.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This sort of functionality is similar to
Shibboleth target or SAML 2.0 RelayState in IdP-Initiated
SSO.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">After a successful authentication The
client needs to create a session and redirect the user agent
to the target_link_uri. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Typically a Client might use state to
store the target_link_uri in the Authorization request. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Clients that support his also need to
preform some sort of sanity check on the target_link_uri,
and never redirect without a positive authentication
response.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">An attacker can always modify state as it
is not signed in the request. Generating a forged failed
response can trick some SP/Clients into redirecting and that
needs to be blocked.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">That was one of the reasons I created. <a moz-do-not-send="true" href="http://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state">http://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">As a way that a Client can prevent
tampering with the target_uri (now that I think about it,
target_link_uri might be a better name to be consistent
with Connect)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It may be that using signed state
directly from the IdP may be a simpler solution to the
problem of IdP initiated login saving a number of round
trips for the most common case.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For 3rd party the way we have it in the
spec with the 3rd party initiating the flow at the client
and the client being responsible for protecting the user and
itself from forged authentication requests.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Jun 11, 2014, at 3:58 PM, Mike
Jones <<a moz-do-not-send="true" href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">Hi
Roland. My replies are inline. I’ve cc’ed the
mailing list to allow others to comment on my
responses – especially the response about verifying
the<span class="apple-converted-space"> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">target_link_uri<span class="apple-converted-space"><span style="color:#0070C0"> </span></span><span style="color:#0070C0">value to prevent it from
being an open redirector, which I’d like to hear
other’s thoughts on.</span><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-----Original
Message-----<br>
From: Roland Hedberg [<a moz-do-not-send="true" href="mailto:roland.hedberg@adm.umu.se"><span style="color:purple">mailto:roland.hedberg@adm.umu.se</span></a>]<span class="apple-converted-space"> </span><br>
Sent: Tuesday, June 10, 2014 11:03 PM<br>
To: Mike Jones<br>
Subject: Re: Notes from our interop conversation<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Hi
Mike,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">looked
some more at the third party (OP) initiated login.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">A
couple of questions:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-
target_link_uri redirect to after authentication.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">does
that mean that no access token request are performed
by the RP, just the authentication/authorization
request.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Sounds
reasonable since this is only about authentication,
right ?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">There’s
intentionally nothing special about the
authentication behavior when the RP sends an
authentication request after receiving a third party
initiated login request. The OP should do whatever
it normally does, given the request parameters used
(such as the response_type, the scope values, the
“claims” values, etc.). That will include returning
an access token for most response_type values.
Also, the RP is free to use the access token to
obtain claims from the UserInfo endpoint, if it
desires, before redirecting to the<span class="apple-converted-space"> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">target_link_uri<span class="apple-converted-space"><span style="color:#0070C0"> </span></span><span style="color:#0070C0">location.</span><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">-
the RP MUST verify the target_link_uri. What does
this mean ?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">That’s
a REALLY GOOD QUESTION. I don’t know what check the
RP should apply to the<span class="apple-converted-space"> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">target_link_uri<span class="apple-converted-space"><span style="color:#0070C0"> </span></span><span style="color:#0070C0">value to prevent it from
being used as an open redirector. My first
instinct was that it should check it against a
list of values provided by the OP in its discovery
document, but there are no such values defined,
and in fact, the initiator doesn’t have to be an
OP. John, you wrote this language, I believe.
What did you have in mind here?</span><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">When
the user is redirected back to the target_link_uri
is there anything attached to that, like an
id_token.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">No</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">What
are the error messages if any ?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">No
extra ones are defined. Given that the
authentication requests/responses are the normal
ones, no additional errors are needed for those.
The redirects either succeed or fail, with normal
browser errors happening on failure.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">And
finally, if RPs support third party login that could
actually be used to test some of the RPs
functionality.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I
could use the login_hint to carry testing
information. Sneaky I know but .. :-)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">Good
idea.<span class="apple-converted-space"> </span></span><span style="font-size:11.0pt;font-family:Wingdings;color:#0070C0">J</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">--
Roland<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">"Education
is the path from cocky ignorance to miserable
uncertainty.” - Mark Twain<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">
--
Mike</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div></blockquote></body></html>