I want to create a facebook redirect url like /fblogin?packgeid=1 in my Codeigniter application
where packgeid is a dynamic value like (1,2,3)
I tried https://localhost/project/fblogin?packgeid={} in facebook Valid OAuth Redirect URIs, but receive an error in facebook response like:
URL Blocked: This redirect failed because the redirect URI is not
whitelisted in the app’s Client OAuth Settings. Make sure Client and
Web OAuth Login are on and add all your app domains as Valid OAuth
Redirect URIs.
You can not use any placeholders or anything like that. If you need to transport any info in your redirect URI via GET parameters, then you would need to enter each any every specific URL explicitly.
The only parameter that is except from this, is the state value. Its main purpose is CSRF protection - but you can use it to transport your own values as well. It should not be a purely static or easily guessable value though (that would stop it from being effective as CSRF protection measure) - so maybe combine a random value and your parameter value, encoding it as JSON, or something like that - that would help you to easily take it apart on the receiving end again.
But do you even need to actually transport this via the redirect URI? Can you not just put packgeid=1 into your session, and then have the script decide what it needs to do after the user is redirect back, based on that?
Related
I am building an oauth login flow and I am not sure if I have done it wrong because I will need to send the bearer token back via redirect URL, like /oauth2/redirect?token=[TOKEN]. But isn't it not recommended to have token passed along through URL? As it is pointed out in this thread:
Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters).Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken. Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.
I must have missed something in the whole flow and would like to understand more about this matter. Any input is appreciated!
UPDATE
Might not be correct but this is my understanding after some digging. The three means to pass token:
URL (not preferable)
Auth header
Request body
But under the oauth redirect use case, option 2 and 3 not feasible. So option 1 is the only option available. If really needed, token can be encrypted to ensure security.
I think this only means, that you should not use a GET request when the server requires the token, instead you should use POST or whatever is appropriate. In a GET request the parameters are included in the URL and those can end up in logs or other histories, other request types will send the paramters separat from the request URL.
P.S. BTW if you are not implementing the OAuth server yourself, you won't have to send a redirect url containing the token.
The basic auth header which provides a little extra security as it's required to be through TLS:
In the case of a "Basic" authentication like shown in the figure, the exchange must happen over an HTTPS (TLS) connection to be secure.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
Also, the headers aren't logged in easy places like browser history.
From the spec,
it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body.
https://www.rfc-editor.org/rfc/rfc6750#section-2.3
I am working on an existing OAuth system in my office.
The previous engineer left and I am not really experienced in this OAuth system.
So I read a few documents about OAuth. I see that my office, as the OAuth server
is getting a redirect URL upon getting auth code from the client.
Then I see a validation which preventing a single character in the redirect URL.
Example:
https://m.clientname.us/oauth/redirect
https://pre.m.clientname.us/oauth/redirect
Number 1 would pass, but 2 does not
Do you guys think there is a reason the previous engineer making this validation? Is there a standard about it not to put a single character like sample number 2? Thank you
I'm not sure what you mean by "single character", but the redirect URLs that your authorization server allows should absolutely be whitelisted to only registered redirect URLs. Any added subdomains or paths should cause the request to be rejected. Otherwise, an attacker can craft an OAuth request that looks valid to the end-user, but actually redirects them (with the authorization code) to their server.
Is it possible to pass a parameter to web page via the OAuth redirect URL once the user authenticates? I have specified a parameter on the redirect URL in the Google credentials configuration page but it is not being passed. I'd like to get the value of foo below:
https://example.com/Test?foo=1234
I'm guessing you want to use the query parameter to encode some sort of information that will track the OAuth flow on your end.
In that case, you would need to use the state parameter. You will get the state parameter back as a parameter to your redirect_uri
More information:
https://developers.google.com/identity/protocols/OpenIDConnect#sendauthrequest
https://developers.google.com/identity/protocols/OpenIDConnect#state-param
The state can be useful for correlating requests and responses.
Because your redirect_uri can be guessed, using a state value can
increase your assurance that an incoming connection is the result of
an authentication request. If you generate a random string or encode
the hash of some client state (e.g., a cookie) in this state variable,
you can validate the response to additionally ensure that the request
and response originated in the same browser. This provides protection
against attacks such as cross-site request forgery.
Since there is no clientId in the logout request, it's not possible to validate the URL against the client's list of Valid Redirect URIs, thus allowing redirection to an arbitrary URL:
https://idserver/auth/realms/realm/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Fattackers.website
Is there a workaround for this issue or does it have to be a code fix? Thank you.
You can (and should) register "Valid Redirect URIs" for each client in the realm. If you don't and specify i.e. "*" to allow any URL, exactly the thing you describe will happen.
Try it the logout with the realm "master" (with the initial configuration): You'll get the error message "Invalid redirect uri".
I understand that the reason for the redirect uri is to pass the credentials back to the client, which is fine.
I want to allow programmers to use my client_id to write their own implementation, the problem is that my client_id has associated to it a set amount of redirect_uris, thus if the programmer is making their own implementation they cannot redirect to their own page.
I should thus have a single redirect uri which passes the token back to the client, but how can I achieve this?
Sharing client_ids between different apps is not security best practice. You should be looking in to something like Dynamic Client Registration where each client dynamically registers itself together with its redirect URI to the Authorization Server: https://www.rfc-editor.org/rfc/rfc7592