New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow passing additional state #182
Conversation
Thanks for trying to solve this:
If you really want something like this I think you have 2 solutions:
|
Thank you for looking into this. But as I tried to explain in my comment to #184 my problem is not about dynamic lookup of But I understand your remarks about the impact on validation and the non |
With this explanation I guess I understand a bit more. I don't know what you are going to do on server B, but you are opening yourself up to a lot of attack vectors. How is your solution safe from these attacks? https://tools.ietf.org/html/rfc6749#section-10.12This will fail at the last step.. but server B may do stuff in between https://tools.ietf.org/html/rfc6749#section-10.14You are not verifying the state query with the cookie value so how do you know it was not tampered in flight. The cookie is only valid for a.com domain. https://tools.ietf.org/html/rfc6749#section-10.15You just set yourself up, for an attacker to redirect wherever Because I think so much depends on how server B.com is implemented and how A and B communicate, I don't think I would want to accept such a PR. I would advise you find a different overall solution here. Now, I've been known to be completely wrong on many occasions so feel free to demonstrate. |
I thought a lot about this the last days and I'm confident, that it won't open additional attack vectors, if server at "b.com" uses the same precautions than any OAuth service provider: only forward to registered redirect locations. Then why I'm arguing about this here (since redirect uris already need to be registered): my problem is mentioned in https://tools.ietf.org/html/rfc6819#section-5.2.3.5 (last note)
My server at "b.com" could implement a - yet to be developed - secure automatic registration/deregistration of a cluster of backend servers, which will handle the client authorization requests. The only thing I need for this is some piggy-backed information on the state token, since this is exchanged through the whole authorization (code) flow. To your questions:
As you said: it depends on what "b.com" will do with this information. If it doesn't check validity of the received piggy-backed state against its table of registered redirect locations, then you'll get an open redirector. But I think this is not a problem of Bell: an insecure OAuth service provider (without pre-registered redirect locations) would open the same attack vectors. I could imagine two problems:
Hopefully I'm not missing some important point... |
Ok sounds good,
I may have missed something since it's been a week but I think that covers it. I'll accept this. |
Thank you for checking! I'm going to prepare a new PR, but it'll take some days before I'm able to get back on this topic. |
@ldesplat: Finished now with refactoring. I hope this matches your expectations. |
This looks a lot better. I may have 1 comment, just give me a bit more time to figure it out but 👍 Thank you :) |
Thanks again :) |
Allow passing additional state
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions. |
I'd like to add additional data to the OAuth state parameter. So far bell creates its state parameter by using an arbitrary nonce and there is no way for intercepting or extending the state.
This is useful due to restrictions on OAuth redirect_uri. Each provider has its own rules for the callback uri. E.g. OneDrive only allows urls from within a master domain. This makes development and testing complicated: I need to change allowed redirect uris for this. Also if you like to host multiple instances of an application on different domains, things get complicated - at least, or cannot be solved (OneDrive example). By passing additional data a central redirect location can decide where to forward a successful authorization request. Use the bell 'location' setting for this and provide your data by a state query parameter. Also you need to switch on this extension via 'allowRuntimeState'.