[Openid-specs-ab] Inconsistency in redirect_uri definitions

Justin Richer jricher at mitre.org
Fri Jun 7 19:20:00 UTC 2013


wfm.
  - justin

On 06/07/2013 03:20 PM, John Bradley wrote:
> OK
>
> On 2013-06-07, at 9:08 PM, Mike Jones <Michael.Jones at microsoft.com 
> <mailto:Michael.Jones at microsoft.com>> wrote:
>
>> How about then:
>> "REQUIRED. Redirection URI to which the response will be sent. All 
>> segments of this URI MUST exactly match one of the redirect_uris 
>> registered for the client_id, with the matching performed as 
>> described in [RFC3986] Section 6.2.1 (Simple String Comparison)."
>> (adding "(Simple String Comparison)").
>> -- Mike
>> *From:*John Bradley [mailto:ve7jtb at ve7jtb.com <http://ve7jtb.com>]
>> *Sent:*Friday, June 07, 2013 12:00 PM
>> *To:*Tim Bray
>> *Cc:*Mike Jones; openid-specs-ab at lists.openid.net 
>> <mailto:openid-specs-ab at lists.openid.net>
>> *Subject:*Re: [Openid-specs-ab] Inconsistency in redirect_uri definitions
>> I think we are saying the same thing.   I am recommending against the 
>> AS normalizing.  But I want it to be clear that the comparison is the 
>> whole URI and not have people strip off the query parameters or 
>> ignore the port foe the comparison.
>> How about.
>>
>>         "REQUIRED. Redirection URI to which the response will be
>>         sent. All segments of this URI MUST exactly match one of the
>>         redirect_uris registered for the client_id, with the matching
>>         performed as described in [RFC3986] section 6.2.1"
>>
>> On 2013-06-07, at 8:54 PM, John Bradley <ve7jtb at ve7jtb.com 
>> <mailto:ve7jtb at ve7jtb.com>> wrote:
>>
>>
>> RFC 3986 is about URI generic syntax we would need to point 
>> specifically to Simile String Comparison Sec 6.2.1
>> On 2013-06-07, at 8:48 PM, Tim Bray <tbray at textuality.com 
>> <mailto:tbray at textuality.com>> wrote:
>>
>>
>> I recommend "REQUIRED. Redirection URI to which the response will be 
>> sent. This URI MUST exactly match one of the redirect_uris registered 
>> for the client_id, with the matching performed as described in 
>> [RFC3986] section 6.2.1"
>>
>> On Fri, Jun 7, 2013 at 11:39 AM, Mike Jones 
>> <Michael.Jones at microsoft.com <mailto:Michael.Jones at microsoft.com>> wrote:
>> So you're advocating copying the definition in Messages to Standard 
>> and deleting the words "the Scheme, Host, and Path segments of" from 
>> Registration, correct?  If not, please supply alternative exact wording.
>> -- Mike
>> *From:*John Bradley [mailto:ve7jtb at ve7jtb.com <mailto:ve7jtb at ve7jtb.com>]
>> *Sent:*Friday, June 07, 2013 11:33 AM
>> *To:*Tim Bray
>> *Cc:*Mike Jones;openid-specs-ab at lists.openid.net 
>> <mailto:openid-specs-ab at lists.openid.net>
>>
>> *Subject:*Re: [Openid-specs-ab] Inconsistency in redirect_uri definitions
>> Google is comparing them as strings requiring an exact match as I 
>> understand it.
>> Anything other than an exact match of the the string of octets is 
>> likely to fail with some IdP.  It would be nice to do URI to URI 
>> comparisons but that tends to have interoperability problems.   From 
>> a security point of view Standard is correct and should be copied to 
>> the other specs.
>> From an interoperability point of view saying it is an exact match of 
>> the octets may save a bunch of interoperability issues,.
>> Pointing to RFC3986 for comparison rules saying we are not doing 
>> normalization and will perform a comparison of the UTF8 code-points 
>> to be more specific.
>> John
>> On 2013-06-07, at 7:45 PM, Tim Bray <tbray at textuality.com 
>> <mailto:tbray at textuality.com>> wrote:
>>
>> When you say "match Standard" you mean referring to the enumeration 
>> of scheme/host/path/query, I assume.  As opposed to the reference to 
>> dynamic client registration?  BTW RFC3986 section 6.2 
>> (http://tools.ietf.org/html/rfc3986#section-6.2) has useful material 
>> on URI comparison. You could simply refer to 6.2.1 and omit the 
>> enumeration.
>>
>> On Fri, Jun 7, 2013 at 10:33 AM, Mike Jones 
>> <Michael.Jones at microsoft.com <mailto:Michael.Jones at microsoft.com>> wrote:
>> While working on the spelling and grammar check, I noticed the 
>> following in redirect_uri definitions. While I hate to bring this up 
>> while we're trying to finish the Implementer's Drafts, this is 
>> potentially a recall-class issue, so I wanted to raise it now, rather 
>> than have it come up later.
>> Messages, Basic, and Implicit say:
>> redirect_uri
>> REQUIRED. Redirection URI to which the response will be sent. This 
>> MUST be pre-registered with the OpenID Provider.
>> Standard says:
>> redirect_uri
>> REQUIRED. Redirection URI to which the response will be sent. The 
>> Scheme, Host, Path, and Query Parameter segments of this URI MUST 
>> match one of theredirect_urisregistered for theclient_idin the OpenID 
>> Connect Dynamic Client Registration 1.0 [OpenID.Registration] 
>> specification.
>> Dynamic Registration says:
>> redirect_uris
>> REQUIRED. Array of redirection URIs values used in the Authorization 
>> Code and Implicit grant types. One of these registered redirection 
>> URI values MUST match the Scheme, Host, and Path segments of 
>> theredirect_uriparameter value used in each Authorization Request.
>> Should Messages, Basic, and Implicit be changed to match Standard?  
>> That's my sense of the situation, but wanted to get others' input 
>> before doing so.
>> Thanks,
>> -- Mike
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net 
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net 
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130607/f48a4d0c/attachment-0001.html>


More information about the Openid-specs-ab mailing list