Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how are redirect_urls authenticated? #22

Closed
bblfish opened this issue Sep 25, 2019 · 6 comments
Closed

how are redirect_urls authenticated? #22

bblfish opened this issue Sep 25, 2019 · 6 comments

Comments

@bblfish
Copy link
Member

bblfish commented Sep 25, 2019
edited
Loading

As I understand identifying Apps indirectly via the Origin header is now no no longer correct, and one should use the redirect_url of OAuth as an identifier for the app. It is clear that Origins are much too broad to identify a single application.

I am not sure though how the OAuth Authorization server authenticates the app? How does the OAuth server distinguish one app from an origin from another?
@zenomt
Copy link
Contributor

zenomt commented Sep 25, 2019

there are two main issues with the Origin header. the most important one is that, when authenticating with a bearer token (under control of Javascript and able to be sent to other agents), the Origin header can't be trusted by the Resource Server or the user because it might not be coming from the user's trusted web browser (and therefore might be set to anything). the other issue is that the user might wish finer granularity than Origin to identify apps she's using, particularly when she trusts the origin enough to host independent apps (say, because she controls the origin, or it's https://solid.github.io or something).

the authenticity of the redirect_uri is established to the user via her trust in her web browser and her OpenID Connect Provider. the OP sends the id_token and/or access token and/or authorization code to the app by redirecting to the redirect_uri with this information encoded in the URI query or fragment identifier. the user trusts her OP to do this redirect, and she trusts her browser to follow this redirect and handle it correctly. a generally trustworthy OP is supposed to take steps to ensure its login and consent screens (if any) are running in a no-frames non-inspectable-by-the-app not-drivable-by-the-app frame-busted clickjack-safe trusted browser context, and the user is supposed to take care that she never gives her login credentials or consent except to her OP showing in such a safe context.

the Resource Server ultimately has to believe the user about the redirect_uri, because it's not independently authenticated by the RS (only by the user).

note that the user herself can cause an OP to claim a different redirect_uri by using a modified user agent or something like curl. the OP has no way to know that a redirect_uri is actually followed. note too that the user can run her own OP and make it claim anything.

@bblfish
Copy link
Member Author

bblfish commented Sep 26, 2019

Thanks for the details.

So for web sites that ask you to login via say Twitter or Github, such as the solid forum page the redirect_url is going to be a url back to the site you want to login to.

What is the redirect_url for Single Page Apps? Is it the URL of the html at which the JS is located on the web?

@jaxoncreed
Copy link
Contributor

We use the origin of the redirect_url so it would be the same with a single page app as a multi-page app.

To clarify, the origin header is used to identify an app, but not to authenticate it. The redirect_url embedded in the token is used to do that. See aud here (https://github.com/solid/webid-oidc-spec/blob/master/application-user-workflow.md#14-generates-an-id_token)

@bblfish bblfish mentioned this issue Oct 5, 2019
Open
@bblfish
Copy link
Member Author

bblfish commented Oct 5, 2019
edited
Loading

I think the proposal in User controlled Authorization App would enable the Authorization App loaded from a secure Origin and holding the private keys for all applications launched, to know the exact url of each launched app, since those were the urls used to launch the apps. This makes it possible to now both identify the App type (the launch URL) and the App instance, using a private key controlled by the App Launcher. The App Launcher could the even give the App instance (running in a particular browser) a particular WebID (though blank nodes will also do, as keys are inverse functional properties).

So the App Launcher could write to the users personal Pod the following triples for each app:

</app/calendar#FirefoxOnLinux> a :App;
   :appLaunch <https://office.app/2019/Calendar.html>;
   :browser "...";
   cert:key [ ... ] .

@elf-pavlik elf-pavlik mentioned this issue Oct 13, 2019
Closed
@elf-pavlik
Copy link
Member

I think we can close this issue and follow up in other related issues

In both of them we need to address what role redirect_url plays and they give clear context of authenticating and authorizing clients.

Otherwise we should define some criteria for resolving this issue, preferably by PR.

@jaxoncreed
Copy link
Contributor

Agreed. We'll continue the conversation in those

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bblfish @elf-pavlik @jaxoncreed @zenomt