[Openid-specs-ab] Additional issues with redirect

Breno de Medeiros breno at google.com
Fri May 18 23:43:42 UTC 2012

On Fri, May 18, 2012 at 2:41 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Justin,
> What is your interpretation opt OAuth where:
> 1: the client registers multiple redirect_uri.
> 2: The client senda a redirect_uri in authz request with query paramaters.
> 3: The authz server matches the redirect URI with one of the registered ones up to the query string.
> 4: The client makes a request to the token endpoint without a redirect_uri
> Is this fine or an error.
> My reading of the OAuth Draft implies that this should return an error.
> Though from a security point of view the authz server matching the first time should be sufficient.
> Thoughts?
> This is needs to be clear for interop.  If a client only registers one redirect_uri and simply sends a redirect_uri in the request to maintain some state in a query parameter,  should it be forced to remember that parameter and sent it in the request to the token endpoint?

There is no guarantee that adding a query parameter to a registered
URI will work. The Google authorization server rejects all
redirect_uris that don't match registered values, and compares them
exactly. Adding a query parameter to a redirect_uri will cause Google
to invalidate the request. That's fully compatible with OAuth2. That's
why OAuth2 defines a state parameter. The state parameter is not part
of the request to the token endpoint.
> John B.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list