Skip to main content

Posts

Showing posts from April, 2015

Open redirect in rfc6749 aka 'The OAuth 2.0 Authorization Framework'

tl;dr The Internet Bug Bounty rewarded me with a bounty for an Open Redirect in  rfc6749 aka 'The OAuth 2.0 Authorization Framework' . Here the long version. The Introduction    Several months ago I did realize that if you want to implement an OAuth Authorization Server and  follow verbatim the OAuth core spec you might end up having an Open Redirect. Now there is still some debate about this class of vulnerability since often they are relatively benign but not always (as we can see later). Despite all at that point I notified the OAuth working group . There was some longish discussion but eventually (almost) all in the list agreed that this was somehow an issue (no where near the end of the world :)). The Issue   Section 4.1.2.1 of the OAuth specification says: If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the r