Summary
Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
When no Redirect URIs are configured in a provider, authentik will automatically use the first redirect_uri
value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either.
Given a provider with the Redirect URIs set to https://foo.example.com
, an attacker can register a domain fooaexample.com
, and it will correctly pass validation.
Patches
authentik 2024.8.5 and 2024.10.3 fix this issue.
The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change.
Manual action is required if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.
Workarounds
When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace .
with \.
.
For more information
If you have any questions or comments about this advisory:
Summary
Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
When no Redirect URIs are configured in a provider, authentik will automatically use the first
redirect_uri
value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either.Given a provider with the Redirect URIs set to
https://foo.example.com
, an attacker can register a domainfooaexample.com
, and it will correctly pass validation.Patches
authentik 2024.8.5 and 2024.10.3 fix this issue.
The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change.
Manual action is required if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.
Workarounds
When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace
.
with\.
.For more information
If you have any questions or comments about this advisory: