[Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.

Axel.Nennker at telekom.de Axel.Nennker at telekom.de
Wed Jun 7 14:28:12 UTC 2017


I do not know whether there is a real risk... but it feels like the redirect url should be fixed at registration time.
https://bitbucket.org/openid/mobile/commits/309af4e910ddb6e3852b3a8dac525d93beb30593

Feedback from others?

Axel

From: Manger, James [mailto:James.H.Manger at team.telstra.com]
Sent: Mittwoch, 7. Juni 2017 10:55
To: openid-specs-mobile-profile at lists.openid.net; Nennker, Axel <Axel.Nennker at telekom.de>
Subject: RE: [Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.

What is missing is the rationale for OPs not following redirects. There shouldn't be any security issue, as long as redirects are to HTTPS.
If there is a real risk, then explain it and say OPs MUST NOT follow redirects.
If it is a reasonable policy by some OPs to minimise what they support to minimise attack surface, say Clients SHOULD NOT return redirects.
If it is OPs trying to avoid some effort then drop the whole line. Expect OPs to support normal HTTP that includes supporting redirects.
--
James Manger

________________________________
From: Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de> <Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>>
Sent: Wednesday, June 7, 2017 6:23:55 PM
To: Manger, James; openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Subject: RE: [Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.

How about:
https://bitbucket.org/openid/mobile/commits/6f5c9035ca46d657ce75be1cf87f64a8ef7dc112

         <t>
           The Client Notification Endpoint SHOULD response with a HTTP 204 No Content.
-          The OP SHOULD accept HTTP 200 OK and any body in the response SHOULD be ignored.
+          The OP SHOULD also accept HTTP 200 OK and any body in the response SHOULD be ignored.
         </t>
         <t>
-          The  SHOULD    HTTP 3xx .
-      .
+          The Client SHOULD NOT return an HTTP 3xx code. The OP SHOULD NOT follow redirects.
         </t>

//Axel

From: Manger, James [mailto:James.H.Manger at team.telstra.com]
Sent: Mittwoch, 7. Juni 2017 09:58
To: Nennker, Axel <Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>>; openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Subject: RE: [Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.

Suggest tweaks:

+        <t>
+          The Client Notification Endpoint SHOULD respond with HTTP 204 No Content.
+          The OP SHOULD also accept HTTP 200 OK, ignoring any response body.
+        </t>
+        <t>
+          The Client SHOULD NOT return an HTTP 3xx code as the OP might not follow redirects.
+        </t>
+        <t>
+          How the OP handles HTTP error codes in the ranges of 4xx and 5xx is out-of-range of this specification.
+          Administrative action is like to be needed in these cases.
+        </t>

--
James Manger

From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>
Sent: Wednesday, 7 June 2017 5:45 PM
To: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Subject: [Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.

Hi all,

please see:
https://bitbucket.org/openid/mobile/commits/b33dba96dc99eeee001c8b6bf424dc193886229f?at=default

+        <t>
+          The Client Notification Endpoint SHOULD response with a HTTP 204 No Content.
+          The OP SHOULD accept HTTP 200 OK and any body in the response SHOULD be ignored.
+        </t>
+        <t>
+          The OP SHOULD not follow redirects. HTTP 3xx codes SHOULD be ignored.
+          Administrative action is like to be needed.
+        </t>
+        <t>
+          How the OP handles HTTP error codes in the ranges of 4xx and 5xx is out-of-range of this specification.
+          Administrative action is like to be needed in these cases.
+        </t>

Cheers
Axel

https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#issuing_successful_token


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170607/ee50be6b/attachment-0001.html>


More information about the Openid-specs-mobile-profile mailing list