Home Database Mysql Tutorial 为什么oauth 2.0规范里 先后两次提交并验证redirect

为什么oauth 2.0规范里 先后两次提交并验证redirect

Jun 07, 2016 pm 03:43 PM
oauth r twice Why submit specification verify

耗子写了篇关于 oauth 的文章,其中第二个bug没有看懂。翻了原文又翻了规范,后来才想通。 原文是 Bug 2. Lack of redirect_uri validation on get-token endpoint 换token(指的是access token)的时候缺少重定向地址的校验。 OAuth 2.0的规范http://tools.

耗子写了篇关于 oauth 的文章,其中第二个bug没有看懂。翻了原文又翻了规范,后来才想通。

原文是 Bug 2. Lack of redirect_uri validation on get-token endpoint 换token(指的是access token)的时候缺少重定向地址的校验。

OAuth 2.0的规范 http://tools.ietf.org/html/rfc6749#div-4.1 也提到必须校验:

(E) The authorization server authenticates the client, validates the
authorization code, and ensures that the redirection URI
received matches the URI used to redirect the client in
step (C).

redirect_uri这个重定向地址是让第三方接收authorization code(授权码) 来换access token的。对于第三方而言,谁给它授权码谁就是合法用户,后续将与之建立http会话回吐用户的信息。所以一旦这个地址被攻击者改了,code就会被拦截,真正的用户被重定向到了攻击者的页面,正常流程因此中断;而攻击者就可以拿着code重新拼装好redirect_uri往浏览器里一贴,无需密码他就成了合法用户,完成了session劫持。

redirect_uri是如此敏感,有个办法可以在它leak(也就是被改掉)之后补救:第三方在换token的时候是拿着用户给的code,加上自己受信的redirect_uri一起提交给服务提供方做验证。如果之前服务提供方在前面返回code的时候,code是基于异常的redirect_uri计算出来的,那么这一步重新校验就可以知道两者不匹配。

Egor在这儿说redirect_uri应该是个常量,看了下各家都严格做了限定。国内的qq和豆瓣是固定用第三方注册时填写的地址;google是可以注册时填多个,但必须使用其中一个;github是必须使用注册时的地址,或该地址的子目录(因此给了攻击者机会)。


Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot Article Tags

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

How to fine-tune deepseek locally How to fine-tune deepseek locally Feb 19, 2025 pm 05:21 PM

How to fine-tune deepseek locally

deepseek why can't you log in deepseek login portal deepseek why can't you log in deepseek login portal Feb 19, 2025 pm 05:00 PM

deepseek why can't you log in deepseek login portal

Why can't the Bybit exchange link be directly downloaded and installed? Why can't the Bybit exchange link be directly downloaded and installed? Feb 21, 2025 pm 10:57 PM

Why can't the Bybit exchange link be directly downloaded and installed?

Free market software app website Free market software app website Mar 05, 2025 pm 09:03 PM

Free market software app website

Why is Bittensor said to be the 'bitcoin' in the AI ​​track? Why is Bittensor said to be the 'bitcoin' in the AI ​​track? Mar 04, 2025 pm 04:06 PM

Why is Bittensor said to be the 'bitcoin' in the AI ​​track?

gateio exchange app old version gateio exchange app old version download channel gateio exchange app old version gateio exchange app old version download channel Mar 04, 2025 pm 11:36 PM

gateio exchange app old version gateio exchange app old version download channel

Bitcoin: The 'barometer' of global liquidity? Bitcoin: The 'barometer' of global liquidity? Mar 04, 2025 pm 06:39 PM

Bitcoin: The 'barometer' of global liquidity?

BitMEX: Best option strategy after a big sell-off BitMEX: Best option strategy after a big sell-off Mar 04, 2025 pm 06:27 PM

BitMEX: Best option strategy after a big sell-off

See all articles