proposal/discussion: OAuth - separate requirement for redirect_uri string-match registration and handling

[elarlang]

spin-off from #1916 "Discussion/Proposal 3"

Probably I was the first one to say that redirect_uri validation is a duplicate of general open-redirect but now I think it's important to have them as a separate requirement:

redirect_uri must be validated with the string-match method, which means no "wildcard" validations.

There are 2 parts:

• Authorization Server must not accept anything else than (one of) the precise URL from the pre-registered list
• As a precondition: the OAuth Client must not send business logic URL to the Authorization Server. It is pretty much the same as Referrer leakage.

--
Feedback from @tghosth in #1916 (comment)

Suggest you propose an updated/added requirement.

[jmanico]

Probably I was the first one to say that redirect_uri validation is a duplicate of general open-redirect but now I think it's important to have them as a separate requirement:

I agree here, Elar. FYI: Redirect flows (login, etc) are often less likely to be amendable to allow-list validation than OAuth flows.

[csfreak92]

@elarlang, is this being addressed by my latest PR #1971? Or am I missing something about it?

[elarlang]

Hi @csfreak92 , let's find the agreement first in the issue and do PR. Discussion over PR's its complicated to follow.

We also need to think, should we have one common requirement for OAuth and OIDC or not.

I prefer requirement text with the idea like:

Verify that Authorisation Server accepts the redirect uri value from the Client that belongs to the pre-registered list of allowed values using the string-match method, e.g. wildcards are not in use.

[csfreak92]

Understood, but I just pushed my PR since it has been sitting in my local for a while and I thought better to have it out there than get lost somewhere as I have worked on it the past few months. :)

Can we agree over discussion and if they are already covered in the PR then that's good and then if not or needs some modifications, then I would modify them as needed?

[csfreak92]

Verify that Authorization Server accepts the redirect URI value from the Client that belongs to the pre-registered list of allowed values using the string-match method, e.g. wildcards are not in use.

@elarlang, I like this text though, sorry missed it. How would a pre-registered list of allowed values be handled? Should we add a text in the chapter/section how this should be done? Also, string-match method seems like regex, right?

[elarlang]

How would a pre-registered list of allowed values be handled? Should we add a text in the chapter/section how this should be done?

I don't think we need to provide guidance for OAuth Client configuration.

Also, string-match method seems like regex, right?

No, it's the opposite. string-match against pre-registered list of full values says that you should not use any regex, substring, wildcard, etc. Provided redirect_uri value must exists in the pre-registered addresses list as it is.