为什么重定向URL在Azure AD B2C中完全合格? [英] Why is Redirect URL Fully Qualified in Azure AD B2C?
问题描述
Why does the redirect URL have to match completely? Wouldn't matching at the domain level be sufficient enough for proper security?
如果我有数百条路径怎么办?
What if I had hundreds of paths?
示例网址:
- https://myawesomesite.com
- https://myawesomesite.com/account/profile
- https://myawesomesite.com/games/fungame/points
- https://www.myawesomesite.com/games/fungame/points
- https://myawesomesite.com
- https://myawesomesite.com/account/profile
- https://myawesomesite.com/games/fungame/points
- https://www.myawesomesite.com/games/fungame/points
...
我必须在B2C应用配置中输入上述4个重定向网址.
I would have to enter the 4 above redirect urls into my B2C app configuration.
推荐答案
在 RFC 6819中对此进行了讨论"OAuth 2.0威胁模型和安全注意事项";部分 4.1.5 ,
This is actually discussed in RFC 6819 "OAuth 2.0 Threat Model and Security Considerations" sections 4.1.5, 4.2.4 and 5.2.3.5.
4.1.5.威胁:客户端上的打开重定向器
4.1.5. Threat: Open Redirectors on Client
开放重定向器是使用参数自动执行操作的端点 将用户代理重定向到参数值指定的位置 未经任何验证.如果授权服务器允许客户端 仅注册部分重定向URI,攻击者可以使用开放式 客户端操作的重定向器,以构造一个重定向URI,该重定向URI 将通过授权服务器验证,但将发送 授权代码"或访问令牌到控制下的端点 攻击者.
An open redirector is an endpoint using a parameter to automatically redirect a user agent to the location specified by the parameter value without any validation. If the authorization server allows the client to register only part of the redirect URI, an attacker can use an open redirector operated by the client to construct a redirect URI that will pass the authorization server validation but will send the authorization "code" or access token to an endpoint under the control of the attacker.
影响:攻击者可以访问授权的代码".或访问令牌.
Impact: An attacker could gain access to authorization "codes" or access tokens.
对策:
o要求客户端注册完整的重定向URI(第5.2.3.5节)."
o Require clients to register full redirect URI (Section 5.2.3.5)."
第5.2.3.5节讨论了在这种情况下过于严格,目的是替代解决方案.
Section 5.2.3.5 talks about the cases where this may be too restrictive and purposes alternate solutions.
通常,如克里斯建议的那样,state参数也可用于确定性重定向.但是,您必须确保这样的解决方案也不会最终成为开放的重定向器,因此state参数将需要受到保护(例如,加密/签名),或者与Cookie结合使用.
Often times, the state parameter can also be used to redirect deterministically as suggested by Chris. However, you have to ensure that such a solution also does not end up being an open redirector, so the state parameter will either need to be protected (e.g. encrypted/signed), or used in conjunction with cookies.
这篇关于为什么重定向URL在Azure AD B2C中完全合格?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
