Answered

oauth implementation security

  • 14 October 2021
  • 8 replies
  • 103 views
E

hello! I have the following security questions on the typeform oauth implementation:

  • do you have checks in place to validate `redirect_uri=`? I tried modifying my redirect_url and it returned a HTTP/2 302 Found packet
  • I'm interested to see if you have any checks on the scope in the authorization database in case for privilege escalation


thanks!

icon

Best answer by picsoung 16 October 2021, 00:56

View original

8 replies

Liz
Rank
Userlevel 7
Badge +5

Hi @essy Welcome to the community!

Would you mind sharing the call you made for updating the redirect URL? 
As for your second question, I’m checking with our technical team for you. :) 

If you think of anything else in the meantime, please let me know!

Life is a series of awkward moments separated by snacks.
picsoung
Rank
Userlevel 7
Badge +5

Hi @essy 

We do check if the redirect_uri is part of the ones that were defined in the application settings. If it’s not you should see a “BAD REDIRECT URI” error.

 

And for your second question: if a user first authorized your app with accounts:read and forms:read scopes but later on you add another scope like forms:write. The second time they go through the authorization flow they should see the newly added scope.

Hope it makes sense

E

hello, thanks for getting back to me, I tried the following:

GET /login/oauth?client_id=BA8U1Z2G37NLMbi8rcyfWd8KVz5QxTDxdU7c1ErvSAEQ&redirect_uri=https%3A%2F%2Fec2-18-237-101-174.us-west-2.compute.amazonaws.com HTTP/2

Host: admin.typeform.com

E

and it returned back a HTTP/2 200 OK

Date: Thu, 14 Oct 2021 22:26:36 GMT

picsoung
Rank
Userlevel 7
Badge +5

Hi @essy,

I am not sure I understand what is your issue.

You can find more details about our oAuth flow and the different steps in our documentation.
 

If you are using Javascript you can find a working example over here.

Finally, if this is the first time implementing oauth, Anabella Spinelli wrote a really nice article to explain the “oauth dance”.

Keep us updated 😉

E

Hello, I was just asking if it’s a potential security vulnerability that the redirect_uri can be modified and the server returns a HTTP 200!

 

picsoung
Rank
Userlevel 7
Badge +5

My bad @essy 🤦‍♂️

Now I understand what you are saying.

If we wanted to follow REST standards, we should probably not return a 200 for this page if the redirect_uri is not allowed.
 

/login/oauth is not the correct route, our oauth flow starts on /oauth/authorize.

I am curious to see where you saw it; maybe it’s something in the documentation we need to update.

 

If you run the same request on /oauth/authorize route, you get a 400 as expected.


Let me know if I still didn’t understand your message 🤣​​​​​​​

E

Ok thank you for the clarification, I was just reviewing the security around your oauth implementation and flow. Thanks! 

Reply


Still need help?

Don't be shy and ask the community.

Ask your question here!
Community T&Cs