[Openid-specs-ab] Safe response_type for use with form_post response mode

n-sakimura n-sakimura at nri.co.jp
Wed Jun 25 03:16:54 UTC 2014

Just to elaborate on this point a bit more:

OAuth's looser redirect matching is only for query component.
Otherwise, it MUST exactly match.
So, unless the RP does particularly stupid thing like
embedding open redirector using the query parameter,
it is actually fine.

The problem that we often encounter however is that
many IdPs do not implement the redirect uri endpoint as
required by the RFC6749 but allow forward matching,
which is a recipe for disasters.


(2014/06/25 2:28), John Bradley wrote:
> For OAuth where looser redirect matching is permitted POST may be more secure.

Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd.

The information contained in this e-mail is confidential and intended 
for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby 
notified that any review, dissemination, distribution or duplication of 
this message is strictly prohibited. If you have received this message 
in error, please notify the sender immediately and delete your copy from 
your system.

More information about the Openid-specs-ab mailing list