Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Validation of redirect_uri is not performed before redirect #627

Closed
1 of 2 tasks
ccbrown opened this issue Jul 31, 2024 · 9 comments · Fixed by #640
Closed
1 of 2 tasks

[Bug]: Validation of redirect_uri is not performed before redirect #627

ccbrown opened this issue Jul 31, 2024 · 9 comments · Fixed by #640
Assignees
@muhlemmer
Labels
auth bug Something isn't working released

Comments

@ccbrown
Copy link

ccbrown commented Jul 31, 2024
edited
Loading

Preflight Checklist

  • I could not find a solution in the documentation, the existing issues or discussions
  • I have joined the ZITADEL chat

Version

No response

Describe the problem caused by this bug

Authorization servers MUST NOT redirect the user to redirect URIs unless they are valid:

If the Redirection URI is invalid, the Authorization Server MUST NOT redirect the User Agent to the invalid Redirection URI.

Redirect URIs are only valid if they match a pre-registered URI:

This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison).

I believe the spec is clear here. However, this repo happily redirects users to any redirect URI, with no validation performed, on a variety of errors. This also has security implications.

To reproduce

Make a request like so:

/authorize?client_id=invalid&redirect_uri=https://invalid.com

The redirect_uri is invalid, as it is not a pre-registered value, but the client will be redirected anyway.

Screenshots

No response

Expected behavior

No response

Additional Context

No response
@ccbrown ccbrown added the bug Something isn't working label Jul 31, 2024
@ccbrown ccbrown changed the title [Bug]: Validation of redirect_uri is not performed before [Bug]: Validation of redirect_uri is not performed before redirect Jul 31, 2024
@muhlemmer
Copy link
Collaborator

I've just tested using our example, and cannot reproduce.:

go run github.com/zitadel/oidc/v3/example/server

I modified the client's requested redirect URL, so the auth request looks like:

http://localhost:9998/auth?client_id=web&prompt=Welcome+back%21&redirect_uri=http%3A%2F%2Ffoo%3A9999%2Fauth%2Fcallback&response_type=code&scope=openid+profile&state=2bf03663-a989-4ad6-94f2-46e324c7640d

The browser prints the correct error message:

The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application.

If you somehow able to pass invalid redirects, can you be more clear with:

  1. Version of the package you are using
  2. A minimal go implementation of an OIDC Provider or op.Server that allows an invalid redirect URL.

@muhlemmer muhlemmer moved this to 🧐 Investigating in Product Management Aug 1, 2024
@muhlemmer muhlemmer added auth waiting For some reason, this issue will have to wait. This can be a feedback that is being waited for, a de labels Aug 1, 2024
@ccbrown
Copy link
Author

ccbrown commented Aug 1, 2024
edited
Loading

@muhlemmer Thanks for the prompt response. This can be reproduced using any version of the package, including the latest main (b9bcd6aef9c19673fa9ef942a41ef987bf825a56).

It can be reproduced using your example server without modifications.

For example:

http://localhost:9998/auth?client_id=invalid&redirect_uri=https://invalid.com

Will redirect to:

https://invalid.com/?error=server_error&error_description=unable+to+retrieve+client+by+id

Many error cases such as that one do not perform any validity checks on redirect URIs.

@muhlemmer muhlemmer removed the waiting For some reason, this issue will have to wait. This can be a feedback that is being waited for, a de label Aug 2, 2024
@muhlemmer
Copy link
Collaborator

I see what's happening. As the client ID is incorrect, the lib can't find the client. In that case it returns a server_error, which allows redirect to happen. The only error type that disables redirect is the ErrInvalidRequestRedirectURI, which is never returned in this case as we don't get to validating any URI.

I will do some research what the correct error type should be for a non-existing client (server_error sounds wrong also) and disable the redirect.

@muhlemmer muhlemmer self-assigned this Aug 2, 2024
@muhlemmer muhlemmer moved this from 🧐 Investigating to 🐛 Bugs/Small Issues in Product Management Aug 2, 2024
@muhlemmer
Copy link
Collaborator

Thanks for the report BTW.

@muhlemmer
Copy link
Collaborator

The Oauth2 RFC 6749, section 4.1.2.1 is also pretty clear on this:

If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.

@ccbrown
Copy link
Author

ccbrown commented Aug 18, 2024
edited
Loading

Any movement on this? If this was categorized as a "small issue" I believe you should reconsider. This issue means every user of your library is susceptible to what's typically around a 6.1 CVSS vulnerability. Respectfully, I don't see anything in your "Sprint Backlog" or "In Progress" columns that should be a higher priority than this for a company specializing in identity infrastructure.

If you don't have the resources, let me know and I'll be happy to take a stab at a pull request.

@muhlemmer
Copy link
Collaborator

Hi, small issue means we don't need to plan it to fix it, because it's supposedly under a day work. We work on small issues between prioritized issues. It doesn't mean it is low priority.

I already did som preliminary work, but halted for a bit because I need to rethink some of the op.Servers AuthRequest verification logic. As in there we first verify the content of the request, and after that obtain the client. I intend to finish the fix this week.

@ccbrown
Copy link
Author

ccbrown commented Aug 19, 2024

Thanks for the update! I appreciate it!

muhlemmer added a commit that referenced this issue Aug 20, 2024
@muhlemmer
fix(op): do not redirect to unverified uri on error
8bed692 
Closes #627
@muhlemmer muhlemmer mentioned this issue Aug 20, 2024
Merged
13 tasks
muhlemmer added a commit that referenced this issue Aug 20, 2024
@muhlemmer
fix(op): do not redirect to unverified uri on error
e66758e 
Backport of #640
Related to #627
@muhlemmer muhlemmer mentioned this issue Aug 20, 2024
Merged
13 tasks
@muhlemmer muhlemmer moved this from 🐛 Bugs/Small Issues to 👀 In review in Product Management Aug 20, 2024
livio-a pushed a commit that referenced this issue Aug 21, 2024
@muhlemmer
fix(op): do not redirect to unverified uri on error (#641)
e8769ce 
* fix(op): do not redirect to unverified uri on error

Backport of #640
Related to #627

* adjust tests
@github-project-automation github-project-automation bot moved this from 👀 In review to ✅ Done in Product Management Aug 21, 2024
@github-actions GitHub Actions
Copy link

🎉 This issue has been resolved in version 3.27.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@muhlemmer muhlemmer

Labels
auth bug Something isn't working released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(op): do not redirect to unverified uri on error zitadel/oidc
2 participants
@ccbrown @muhlemmer