[Openid-specs-ab] Native apps redirect_uri scheme

Filip Skokan panva.ip at gmail.com
Tue Mar 21 19:48:22 UTC 2017


*William: I think the main point is that there needs to be a distinction
between *public* and *confidential* clients, but that using the redirect
URI to determine this is a bad idea.*
> client property application_type with values "native" and "web" seems to
be the connect way of distinguishing between public and confidential
clients.

Furthermore in 8.7/7.1 > *For Custom URI scheme based redirects,
authorization servers SHOULD enforce the requirement in Section 7.1 that
clients use reverse domain name based schemes. At a minimum, any scheme
that doesn't contain a period character ("."), SHOULD be rejected.*

While waiting for native apps to finalized and thus enabled as best
practice by default in node oidc-provider the developers can choose to
enable it as an experimental feature, this changes the way
application_type=native clients' redirect_uris member are validated, here's
the difference
<https://github.com/panva/node-oidc-provider/blob/85f1480/lib/helpers/client_schema.js#L450-L477>.
Special handling was also necessary to allow a dynamic port to provided for
Loopback URI Redirection.

Best,
*Filip Skokan*

On Tue, Mar 21, 2017 at 7:00 PM, Mike Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Can you please file an issue at https://bitbucket.org/openid/
> connect/issues?status=new&status=open under the Errata milestone
> proposing specific textual edits to apply?
>
>
>
>                                                           Thanks,
>
>                                                           -- Mike
>
>
>
> *From:* Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] *On
> Behalf Of *William Denniss via Openid-specs-ab
> *Sent:* Tuesday, March 21, 2017 10:46 AM
> *To:* Roland Hedberg <roland at catalogix.se>
> *Cc:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] Native apps redirect_uri scheme
>
>
>
> +1 to include HTTPS support.  I think the main point is that there needs
> to be a distinction between *public* and *confidential* clients, but that
> using the redirect URI to determine this is a bad idea.
>
>
>
> Regarding localhost vs loopback IP literal:
>
>
>
> The Native Apps draft recommends using loopback IP literals over
> localhost, as they are slightly superior.  By default, 127.0.0.1 will
> strictly receive local traffic only – a desirable security property. It's
> also immune to hostname resolution issues (it's possible to break localhost
> resolution).
>
>
>
> In my testing with .NET on Windows 10, opening a HTTP listener on "
> http://localhost" opened a socket on all network interfaces and triggered
> a firewall dialog – while listening on "http://127.0.0.1" did neither.
> I'm sure it's possible to configure which network interfaces to use with
> "localhost", but what I like about 127.0.0.1 is that you don't have to
> worry about that.
>
>
>
> Since both are simple static constants – and one is better – I recommend
> the IP literal.
>
>
>
> On Tue, Mar 21, 2017 at 9:59 AM, Roland Hedberg via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> Hi!
>
> There is a thing we probably have to issue an errata for in the OIDC
> cleint registration document.
>
> This is the case:
>
> — In http://openid.net/specs/openid-connect-registration-1_0.html it says
> in the text about
> application_type:
>
> ”Native Clients MUST only register redirect_uris using custom URI schemes
> or URLs using the http: scheme with localhost as the hostname. "
>
> Now this conflicts with what is said in https://tools.ietf.org/id/
> draft-ietf-oauth-native-apps-09.html
> where in section 7 it lists these redirect URI options:
> 7.1 Custom URI
> 7.2 HTTPS
> 7.3 loopback aka HTTP://127.0.0.1
>
> Furthermore in 8.6 it says about the use of loopback URI:
> "While redirect URIs using localhost (i.e.  http://localhost:{port}/)
> function similarly to loopback IP redirects described in Section 7.3, the
> use of localhost is NOT RECOMMENDED. "
>
> -- Roland
> "Education is the path from cocky ignorance to miserable uncertainty.” -
> Mark Twain
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170321/ed7cb0b8/attachment.html>


More information about the Openid-specs-ab mailing list