[Openid-specs-ab] Additional issues with redirect

Breno de Medeiros breno at google.com
Tue May 22 17:48:00 UTC 2012


On Tue, May 22, 2012 at 10:38 AM, Breno de Medeiros <breno at google.com> wrote:
> On Sat, May 19, 2012 at 11:34 AM, Roland Hedberg
> <roland.hedberg at adm.umu.se> wrote:
>>
>> 19 maj 2012 kl. 07:34 skrev Breno de Medeiros:
>>
>>> Google authz server requires exact match and allows no query
>>> parameters. The OAuth2 protocol was designed to support this by adding
>>> a pre-defined state parameter.
>>
>> When you say exact match is that for the whole URI (leaving the query part out) ?
>> Because I read 3.1.2.3 of the OAuth2 draft to allow for registering a partial redirect URI.


OAuth2's language allows for partial specification of a redirect URI
but does not specify that the server is required to allow looser
match. In fact, my reading of the language in the OAuth2 spec is that
it encourages servers to be more strict, rather than permissive with
the redirect_uri matching approach. Google's current approach of exact
match is both protocol compliant and I believe implements a best
practice in this regard. The protocol added a state parameter to allow
for such practice.

>>
>> To be specific I should be able to register:
>>  http://example.org/cb
>> and the have as the redirect_uri
>>  http://example.org/cb/foo
>> at least that is how I read the text.
>>
>> Would the Google authz server allow that ?
> No, it doesn't.
>
>>
>> -- Roland
>> ------------------------------------------------------
>> Roland Hedberg
>> IT Architect/Senior Researcher
>> ICT Services and System Development (ITS)
>> Umeå University
>> SE-901 87 Umeå, Sweden
>> Phone +46 90 786 68 44
>> Mobile +46 70 696 68 44
>> www.its.umu.se
>>
>
>
>
> --
> --Breno



-- 
--Breno


More information about the Openid-specs-ab mailing list