Re: [OAUTH-WG] OAuth 2.1 + OAuth 2.0 for Native Apps: Private-Use URI Scheme Redirection enforcement

2020-12-03 Thread Filip Skokan
Please note that this simple validation (in combination with web
application enforcing http(s) schemes) removes the need to implement and
maintain a blocklist of potentially malicious schemes such as
`javascript:/`, `vbscript:/`, and `data:/`.

More details:
https://security.lauritz-holtmann.de/post/sso-security-redirect-uri/

Best,
*Filip*


On Thu, 3 Dec 2020 at 10:59, Filip Skokan  wrote:

> Hello everyone,
>
> Both RFC 8252  and OAuth
> 2.1 draft
> 
> state that (paraphrasing)
>
> Apps MUST use a URI scheme based on a domain name under their control,
>> expressed in reverse order, as recommended by Section 3.8 of [RFC7595] for
>> private-use URI schemes. e.g. com.example.app:/
>
>
> My question is, is the AS right to reject client registrations that do not
> follow this specific requirement, to e.g. reject myapp:/oauth2/example-issuer
> on the account of it not being neither claimed https scheme, an http: +
> loopback interface, nor having a "." (dot) character suggesting it is a
> reverse domain scheme?
>
> Best,
> *Filip*
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


[OAUTH-WG] OAuth 2.1 + OAuth 2.0 for Native Apps: Private-Use URI Scheme Redirection enforcement

2020-12-03 Thread Filip Skokan
Hello everyone,

Both RFC 8252  and OAuth
2.1 draft
 state
that (paraphrasing)

Apps MUST use a URI scheme based on a domain name under their control,
> expressed in reverse order, as recommended by Section 3.8 of [RFC7595] for
> private-use URI schemes. e.g. com.example.app:/


My question is, is the AS right to reject client registrations that do not
follow this specific requirement, to e.g. reject myapp:/oauth2/example-issuer
on the account of it not being neither claimed https scheme, an http: +
loopback interface, nor having a "." (dot) character suggesting it is a
reverse domain scheme?

Best,
*Filip*
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth