Hey,
I've posted a new Internet-Draft proposing HTTP headers to address
security and privacy concerns in redirect-based authentication protocols:
https://datatracker.ietf.org/doc/draft-hardt-httpbis-redirect-headers/
I expect this work will be done in the httpbis WG, but much of the value is
to the OAuth WG, hence the post here.
The draft defines three headers:
- Redirect-Query: Carries redirect parameters in headers instead of URLs,
preventing leakage through browser history, Referer headers, server
logs,
and analytics systems.
- Redirect-Origin: Provides browser-verified origin authentication that
cannot be spoofed or stripped.
- Redirect-Path: Allows servers to request path-specific origin
verification.
The primary motivation is protecting authorization codes in OAuth/OIDC
flows from the various URL leakage vectors documented in RFC 9700.
Secondary motivation is improving redirect origin validation.
A key design goal is incremental deployment—clients, browsers, and
authorization servers can each add support independently, with no
coordination required.
As browser support is a requirement for the functionality, I have worked
with Sam Goto from the Google Chrome team to confirm browser interest, and
Sam has joined as a co-author.
Feedback welcome. Issues and discussion at:
https://github.com/dickhardt/redirect-headers
Dick & Sam
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
