cweiske
commented
6 years ago I've added the asterisk redirect URI to http://cweiske.de/shpub.htm
Closed Zegnat closed 4 years ago
cweiske
commented
6 years ago I've added the asterisk redirect URI to http://cweiske.de/shpub.htm
aaronpk
commented
6 years ago Is there a reason you can't use a fixed URL for shpub, like http://0.0.0.0:30000?
I'm leery of allowing arbitrary redirect URIs, although having to explicitly enable that is a little better. It would be a lot better if the client support PKCE when enabling this, since PKCE solves the stolen auth code problem that registering redirect URIs helps with.
cweiske
commented
6 years ago 
Zegnat
commented
6 years ago I’m leery of allowing arbitrary redirect URIs, although having to explicitly enable that is a little better.
Explicitly triggering it is an important part of this proposal. I should have made that clearer.
In fact, if a wildcard is added as a possibility, would it make sense to upgrade the current SHOULD on blocking requests for non-verified redirect_uri values to a MUST? As all clients who have an issue with that can specify the wildcard? Thus overall increasing the security in client implementations.
It would be a lot better if the client support PKCE when enabling this […]
Zegnat
commented
6 years ago @sknebel points out in chat that clients are already able to work with variable redirect URLs by passing the redirect_uri value along to a specially crafted page at client_id. Example:
https://example.org/auth?redirect_uri=https://198.51.100.0/listen
&client_id=https://app.example.com/%3Furi%3Dhttps%3A%2F%2F198.51.100.0%2Flisten
&…The problem with this is that the user is “leaking” their redirect_uri to the third-party that is hosting the client identifier URL. For the type of applications discussed here, that will often involve an IP address and an open port.
If a client already knows it is in need of variable redirect URLs, it would be better to express this with an explicit * on their identifier page than working around it. Especially because this will inform the authorization endpoint of the fact a variable redirect URL is used, and special action may be taken there.
Special action could be something like showing different warnings to users, or requiring PKCE.
Zegnat
commented
6 years ago I've added the asterisk redirect URI to http://cweiske.de/shpub.htm
I noticed a problem with this while compiling the Client Information table. href="*" gets treated as a relative URL so the actual redirect URL became http://cweiske.de/*.
So if * becomes part of the standard, we have to be careful to define its use before ever getting to the part where URLs are resolved.
sknebel
commented
5 years ago A possible solution is to allow wildcards as part of valid URLs, e.g. http://*:*/callback, although testing for how URL parsers treat this might be required. (Python's urllib happily parses the above as an absolute URL)
aaronpk
commented
4 years ago This has been resolved in the OAuth working group for some time, and the general consensus is that any sort of wildcard support in redirect URLs opens up attack vectors. One of the possible solutions is a setup stage which can sort of "dynamically register" a redirect URL for the one specific request such as described by the Pushed Authorization Request extension to OAuth, which we could adapt to IndieAuth.
This came up in a very specific context: a micropub tool that does not in advance know what its
redirect_uriis going to be. E.g. @cweiske’s shpub running on a server the user connect to via ssh.Proposed solution (from chat):
Basically when the
redirect_uriis defined as*you would expect the authorization endpoint to allow any URL as if verified by §4.2.2.Note that the authorization endpoint may still want to warn the user of having skipped verification. This is really only to allow the client creator to let the authorization endpoint know it should not block the request completely – as is currently recommended by the spec.