Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security consideration: add warning about creating phishing links #69

Open
aaronpk opened this issue Apr 27, 2021 · 3 comments
Open

Security consideration: add warning about creating phishing links #69

aaronpk opened this issue Apr 27, 2021 · 3 comments

Comments

@aaronpk
Copy link

aaronpk commented Apr 27, 2021

Under certain circumstances, PAR could be used to create phishing links at the authorization server's domain. This should be listed as a security consideration, along with the circumstances under which this can happen and how to avoid it.

Specifically, if a public OAuth API (e.g. github, google, twitter) uses PAR, then a malicious developer could register a client with a redirect URI of the attacker's website, then create a PAR request that will redirect to that URI (either with a valid authorization code if the user approves the request, or with an error code if the user denies or if there is some other problem). This also applies to authorization servers supporting unauthenticated dynamic client registration.

The difference between this and the traditional OAuth model is that the malicious redirect would be not visible until after the redirect has happened, whereas in traditional OAuth it would be in the actual authorization URL itself as the redirect_uri parameter. Essentially PAR lets an attacker mask the redirect URI under the opaque request_uri.

There is no mitigation for these situations, so they should be called out so developers are aware of the risk. To avoid the potential for these attacks, the authorization server would need to prevent arbitrary client registration or have a manual approval process.
@tlodderstedt
Copy link
Collaborator

I agree, PAR can be used to produce short URLs on the AS's domain. However, your proposal would effectively limit use of PAR to vetted, confidential clients. Do you think this is appropriate/needed?

I think the recommendation given in the Security BCP (https://tools.ietf.org/html/draft-ietf-oauth-security-topics-18#section-4.10.2) is still applicable.

@aaronpk
Copy link
Author

aaronpk commented Apr 27, 2021

I'm not suggesting limiting any functionality, just pointing out the situation when used without client authentication under security considerations.

@tlodderstedt
Copy link
Collaborator

Understood. Would you expect any recommendation beyond https://tools.ietf.org/html/draft-ietf-oauth-security-topics-18#section-4.10.2?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aaronpk @tlodderstedt