Forthcoming API OAuth Restriction change

Afternoon everybody,

As part of our ongoing security strengthening of the FreeAgent app and surrounding infrastructure, we are considering requiring that a predefined OAuth redirect URI be specified in your integration settings. This will limit the vulnerability of our API to phishing and/or MITM attacks.

e.g. If a malicious app intercepted the OAuth access request and rewrote the redirect_uri parameter then an unsuspecting user may provide an authorisation token to an endpoint not controlled by the integration.

(not URL escaped for readability)

https://api.freeagent.com/v2/approve_app?client_id=0123456789abcdef&response_type=code&redirect_uri=http://my.app.com/auth
could be intercepted and rewritten to
https://api.freeagent.com/v2/approve_app?client_id=0123456789abcdef&response_type=code&redirect_uri=http://1337.haxxors.com/auth

If the user were to approve that integration then the user could potentially provide access to their FreeAgent data without realising.

We wanted to get a feel for how this change would impact our users before rolling the restriction out - how many of you have multiple OAuth callback endpoints per production app? Our thought was to not apply the restriction to your sandbox accounts to make testing easier - we’ve worked with third party APIs ourselves and we know the pain that it can cause.

Any changes we make would only apply for newly created integrations and/or when an integration is updated by its developer in order to maintain existing behaviour for current integrations.

If anyone has any thoughts on this, please do let us know as we’re planning on making this change sooner rather than later!

Kind Regards
Paul Smith
Software Engineer, FreeAgent.

Important Update - Upcoming Behaviour Change

As an update to the above announcement, we’ve decided to allow multiple registered OAuth redirect URIs following conversations with our API users.

If you log in to your Developer Dashboard you will now be able to add multiple redirect URIs to your applications, as shown below.

We will be requiring that your OAuth authorisation calls match with a registered redirect URI from 1st February 2017. If you do not update your Developer Dashboard apps before then it is possible your integrations will stop working! In this instance, your users will see the following error message…

In order to prevent this, please log in to your dev.freeagent.com account now and make the required changes. If anyone has any problems please reply to this thread (omitting any sensitive information obviously), and we’ll see what we can do to help.

Thanks,
Paul.

Morning all,

Just to update you all, this restriction has now been enabled. We’ve made some tweaks as we noticed that some integrations’ redirect URIs change based on the user’s account. To facilitate this, we’ve added the ability to include wildcards in the registered redirect URIs to match against single alphanumeric hosts/domains or path components (anything matching the /\w+/ regex).

e.g.

https://myapp.com/*/callback will allow redirects to https://myapp.com/123/callback, but not https://myapp.com/123/456/callback

likewise

https://*.myapp.com/callback will allow redirects to https://client1.myapp.com/callback, but not https://client1.test.myapp.com/callback

Hopefully everyone has now updated their integration settings and the change will not affect any of you, but if there are any problems just let us know here and we’ll look into things as required.

Regards,
Paul.