Security Issue: redirect_uri not validated for unknown clients (Open Redirect) #498
Description
Code Version
SATOSA version 8.5.1
Current Behavior
I am using the OIDC frontend. When I send an authorization request with an invalid / unknown client_id, Satosa responds with a 303 redirect to the redirect_uri given in the request and attaches the parameters ?error=unauthorized_client&error_message=Unknown+client_id .
Since the client does not exist, the redirect_uri is not validated and I can specify any URI / URL.
This is actually poses an Open Redirect vulnerability (See https://cwe.mitre.org/data/definitions/601.html and
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html for details).
Expected Behavior
According to RFC 6749 Section 4.1.2.1:
If the request fails due to a missing, invalid, or mismatching
redirection URI, or if the client identifier is missing or invalid,
the authorization server SHOULD inform the resource owner of the
error and MUST NOT automatically redirect the user-agent to the
invalid redirection URI.
So Satosa should just display an error message, but it MUST NOT respond with a redirect to the unvalidated redirection URI that was passed in a parameter.
Possible Solution
Probably the root cause is in pyop (https://github.com/IdentityPython/pyop/blob/master/src/pyop/exceptions.py#L47), but we could also catch it in the OIDC frontend: https://github.com/IdentityPython/SATOSA/blob/master/src/satosa/frontends/openid_connect.py#L303
Steps to Reproduce
- Set up Satosa with an OIDC frontend
- Issue an authorization request with an invalid client_id, for example: https://satosa_host:satosa_port/oidc/authorization?response_type=code&client_id=unknown&scope=openid&redirect_uri=https://attacker.example.net (where no client with ID
unknownshould exist!) - Your browser will redirect you to https://attacker.example.net/?error=unauthorized_client&error_message=Unknown+client_id, which could be a malicious site controlled by a hacker