OIDC SSO invites break redirect URI
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Landscape Server |
Confirmed
|
High
|
Unassigned |
Bug Description
I enabled OIDC login on my hosted Landscape
Sent a user invitation :
https:/
On clicking, we see a message :
"Landscape uses Ubuntu Single Sign On to identify you. Please login or create an Ubuntu Single Sign On account now to accept this invitation.""
With a link to :
https:/
Which 302 redirects to :
Thus the redirect URI is set to "https%
Which is clearly different from the defined URI https:/
(as defined in https:/
The redirect URI should be a static URI, the same for each and every request.
As explained here https:/
> The service should look for an exact match of the URL, and avoid matching on only part of the specific URL. (The client can use the state parameter if it needs to customize each request.) Simple string matching is sufficient since the redirect URL can’t be customized per request.
And many other documents about OIDC.
SECURITY ISSUE :
I have a slight concern that Ubuntu's own SSO server is accepting these wildcarded redirect URIs and is potentially vulnerable to a covert redirect issue (https:/
information type: | Proprietary → Public |
Changed in landscape: | |
importance: | Undecided → High |
Changed in landscape: | |
milestone: | none → 19.10.5 |
Changed in landscape: | |
milestone: | 19.10.5 → none |
I dug quite a bit into this. It doesn't look like we've got a covert redirect vulnerability here. To be clear, there is a redirect (invitation) but it is limited to the specified resource on the server (not open redirection).
I don't quite see that as vulnerable.
Furthermore, the added "invitation" query parameter does not invalidate matching of the redirect_uri, as query parameters are allowed per /tools. ietf.org/ html/rfc6749# section- 3.1.2
https:/
However, I do agree that we should switch to use the state parameter instead, if only to follow recommendations /www.oauth. com/oauth2- servers/ redirect- uris/redirect- uri-registratio n/#per- request
https:/