[Openid-specs-ab] Additional issues with redirect

John Bradley ve7jtb at ve7jtb.com
Sat May 19 00:13:48 UTC 2012

The current connect text follows this from the OAuth spec

   If requiring the
   registration of the complete redirection URI is not possible, the
   authorization server SHOULD require the registration of the URI
   scheme, authority, and path (allowing the client to dynamically vary
   only the query component of the redirection URI when requesting
   The authorization server MAY allow the client to register multiple
   redirection endpoints.

So should the Connect spec take the more strict approach of forcing an exact match including any query parameters.

If matching up to the query parameters only works with some IdP then we will have no end of interop issues.

If you force exact matching  at the authz server why require the redirect_uri at the token endpoint?

John B.

On 2012-05-18, at 7:43 PM, Breno de Medeiros wrote:

> On Fri, May 18, 2012 at 2:41 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>> Justin,
>> What is your interpretation opt OAuth where:
>> 1: the client registers multiple redirect_uri.
>> 2: The client senda a redirect_uri in authz request with query paramaters.
>> 3: The authz server matches the redirect URI with one of the registered ones up to the query string.
>> 4: The client makes a request to the token endpoint without a redirect_uri
>> Is this fine or an error.
>> My reading of the OAuth Draft implies that this should return an error.
>> Though from a security point of view the authz server matching the first time should be sufficient.
>> Thoughts?
>> This is needs to be clear for interop.  If a client only registers one redirect_uri and simply sends a redirect_uri in the request to maintain some state in a query parameter,  should it be forced to remember that parameter and sent it in the request to the token endpoint?
> There is no guarantee that adding a query parameter to a registered
> URI will work. The Google authorization server rejects all
> redirect_uris that don't match registered values, and compares them
> exactly. Adding a query parameter to a redirect_uri will cause Google
> to invalidate the request. That's fully compatible with OAuth2. That's
> why OAuth2 defines a state parameter. The state parameter is not part
> of the request to the token endpoint.
>> John B.
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> -- 
> --Breno

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120518/047fc58b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120518/047fc58b/attachment-0001.p7s>

More information about the Openid-specs-ab mailing list