Skip to content

Improve SSRF security considerations #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ThisIsMissEm wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Improve SSRF security considerations #49

ThisIsMissEm wants to merge 2 commits into from

Conversation

@ThisIsMissEm
Copy link
Contributor

@ThisIsMissEm ThisIsMissEm commented Sep 29, 2025

This applies #43

Essentially there are two attack vectors:

  1. When fetching the Client ID Metadata Document itself, that must not resolve to a special-use IP address, except if the Authorization Server is running on the same IP address (this is to enable development of the AS & Client on the same machine)
  2. When fetching any of the URLs contained within the Client ID Metadata Document, such as tos_uri, policy_uri, jwks_uri or logo_uri

We may need an exception for jwks_uri like we have for the Client ID Metadata Document URI itself.

ThisIsMissEm
ThisIsMissEm commented Sep 29, 2025
View reviewed changes
draft-parecki-oauth-client-id-metadata-document.md
## Server Side Request Forgery (SSRF) Attacks
## Server Side Request Forgery (SSRF) Attacks {#ssrf_attacks}

Authorization servers fetching the client metadata document and resolving URLs located in the metadata document should be aware of possible SSRF attacks. Authorization servers MUST validate that the Client ID Metadata Document URL does not resolve to special-use IP addresses as defined in [RFC6890], except when the authorization server itself is also running on a loopback address and the resolved address matches the same loopback interface.
Copy link
Contributor Author

@ThisIsMissEm ThisIsMissEm Sep 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may want to go further here, like Bluesky's AT Proto, by verifying that the hostname has at least two components, and prevents usage of the following TLDs:

  • .test
  • .local
  • .localhost
  • .invalid
  • .example

However, these TLDs may be useful when developing locally the AS and Client.

@ThisIsMissEm ThisIsMissEm mentioned this pull request Sep 29, 2025
Closed
OR13
OR13 reviewed Nov 18, 2025
View reviewed changes
draft-parecki-oauth-client-id-metadata-document.md
Authorization servers fetching the client metadata document and resolving URLs located in the metadata document should be aware of possible SSRF attacks. Authorization servers MUST validate that the Client ID Metadata Document URL does not resolve to special-use IP addresses as defined in [RFC6890], except when the authorization server itself is also running on a loopback address and the resolved address matches the same loopback interface.

Authorization servers fetching the client metadata document and resolving URLs located in the metadata document should be aware of possible SSRF attacks. Authorization servers SHOULD avoid fetching any URLs using private or loopback addresses and consider network policies or other measures to prevent making requests to these addresses. Authorization servers SHOULD also be aware of the possibility that URLs might be non-http-based URI schemes which can lead to other possible SSRF attack vectors.
Authorization servers SHOULD avoid fetching any URLs contained within Client ID Metadata Documents that resolve to special-use IP addresses as defined in [RFC6890] and consider network policies or other measures to prevent making requests to these addresses. Authorization servers SHOULD also be aware of the possibility that URLs might be non-http-based URI schemes which can lead to other possible SSRF attack vectors.
Copy link

@OR13 OR13 Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Authorization servers SHOULD avoid fetching any URLs contained within Client ID Metadata Documents that resolve to special-use IP addresses as defined in [RFC6890] and consider network policies or other measures to prevent making requests to these addresses. Authorization servers SHOULD also be aware of the possibility that URLs might be non-http-based URI schemes which can lead to other possible SSRF attack vectors.
Authorization servers SHOULD NOT fetch any URLs contained within Client ID Metadata Documents that resolve to special-use IP addresses as defined in [RFC6890] and consider network policies or other measures to prevent making requests to these addresses. Authorization servers which support non-http-based URI schemes are at additional risk to SSRF attacks.

Copy link
Contributor Author

@ThisIsMissEm ThisIsMissEm Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aaronpk how's this sound to you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaronpk aaronpk Awaiting requested review from aaronpk aaronpk is a code owner

1 more reviewer

@OR13 OR13 OR13 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ThisIsMissEm @OR13 @btiernay