Skip to content

Improve SSRF security considerations #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Improve SSRF security considerations #49

wants to merge 2 commits into from

Conversation

@ThisIsMissEm
Copy link
Contributor

This applies #43

Essentially there are two attack vectors:

  1. When fetching the Client ID Metadata Document itself, that must not resolve to a special-use IP address, except if the Authorization Server is running on the same IP address (this is to enable development of the AS & Client on the same machine)
  2. When fetching any of the URLs contained within the Client ID Metadata Document, such as tos_uri, policy_uri, jwks_uri or logo_uri

We may need an exception for jwks_uri like we have for the Client ID Metadata Document URI itself.

ThisIsMissEm
ThisIsMissEm commented Sep 29, 2025
View reviewed changes
draft-parecki-oauth-client-id-metadata-document.md
## Server Side Request Forgery (SSRF) Attacks
## Server Side Request Forgery (SSRF) Attacks {#ssrf_attacks}

Authorization servers fetching the client metadata document and resolving URLs located in the metadata document should be aware of possible SSRF attacks. Authorization servers MUST validate that the Client ID Metadata Document URL does not resolve to special-use IP addresses as defined in [RFC6890], except when the authorization server itself is also running on a loopback address and the resolved address matches the same loopback interface.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may want to go further here, like Bluesky's AT Proto, by verifying that the hostname has at least two components, and prevents usage of the following TLDs:

  • .test
  • .local
  • .localhost
  • .invalid
  • .example

However, these TLDs may be useful when developing locally the AS and Client.

@ThisIsMissEm ThisIsMissEm mentioned this pull request Sep 29, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaronpk aaronpk Awaiting requested review from aaronpk aaronpk is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ThisIsMissEm @btiernay