[Openid-specs-ab] Native apps redirect_uri scheme

William Denniss wdenniss at google.com
Tue Mar 21 19:53:51 UTC 2017


On Tue, Mar 21, 2017 at 12:48 PM, Filip Skokan <panva.ip at gmail.com> wrote:

>
> *William: I think the main point is that there needs to be a distinction
> between *public* and *confidential* clients, but that using the redirect
> URI to determine this is a bad idea.*
> > client property application_type with values "native" and "web" seems to
> be the connect way of distinguishing between public and confidential
> clients.
>

I agree.


>
> Furthermore in 8.7/7.1 > *For Custom URI scheme based redirects,
> authorization servers SHOULD enforce the requirement in Section 7.1 that
> clients use reverse domain name based schemes. At a minimum, any scheme
> that doesn't contain a period character ("."), SHOULD be rejected.*
>

Yes. Such schemes violate RFC7595 for private-use URI schemes and are
susceptible to collisions.

Should the Connect spec simply reference the BCP for these guidelines once
it's published I wonder?  That way we can also revise the BCP if the native
app landscape changes over time (as it has here) without needing to modify
the Connect spec.

While waiting for native apps to finalized and thus enabled as best
> practice by default in node oidc-provider the developers can choose to
> enable it as an experimental feature, this changes the way
> application_type=native clients' redirect_uris member are validated, here's
> the difference
> <https://github.com/panva/node-oidc-provider/blob/85f1480/lib/helpers/client_schema.js#L450-L477>.
> Special handling was also necessary to allow a dynamic port to provided for
> Loopback URI Redirection.
>

That was a great change Filip :) I used your provider to validate the
Dynamic Client Registration support in AppAuth.


>
> Best,
> *Filip Skokan*
>
> On Tue, Mar 21, 2017 at 7:00 PM, Mike Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> Can you please file an issue at https://bitbucket.org/openid/c
>> onnect/issues?status=new&status=open under the Errata milestone
>> proposing specific textual edits to apply?
>>
>>
>>
>>                                                           Thanks,
>>
>>                                                           -- Mike
>>
>>
>>
>> *From:* Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net]
>> *On Behalf Of *William Denniss via Openid-specs-ab
>> *Sent:* Tuesday, March 21, 2017 10:46 AM
>> *To:* Roland Hedberg <roland at catalogix.se>
>> *Cc:* openid-specs-ab at lists.openid.net
>> *Subject:* Re: [Openid-specs-ab] Native apps redirect_uri scheme
>>
>>
>>
>> +1 to include HTTPS support.  I think the main point is that there needs
>> to be a distinction between *public* and *confidential* clients, but that
>> using the redirect URI to determine this is a bad idea.
>>
>>
>>
>> Regarding localhost vs loopback IP literal:
>>
>>
>>
>> The Native Apps draft recommends using loopback IP literals over
>> localhost, as they are slightly superior.  By default, 127.0.0.1 will
>> strictly receive local traffic only – a desirable security property. It's
>> also immune to hostname resolution issues (it's possible to break localhost
>> resolution).
>>
>>
>>
>> In my testing with .NET on Windows 10, opening a HTTP listener on "
>> http://localhost" opened a socket on all network interfaces and
>> triggered a firewall dialog – while listening on "http://127.0.0.1" did
>> neither.  I'm sure it's possible to configure which network interfaces to
>> use with "localhost", but what I like about 127.0.0.1 is that you don't
>> have to worry about that.
>>
>>
>>
>> Since both are simple static constants – and one is better – I recommend
>> the IP literal.
>>
>>
>>
>> On Tue, Mar 21, 2017 at 9:59 AM, Roland Hedberg via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>> Hi!
>>
>> There is a thing we probably have to issue an errata for in the OIDC
>> cleint registration document.
>>
>> This is the case:
>>
>> — In http://openid.net/specs/openid-connect-registration-1_0.html it
>> says in the text about
>> application_type:
>>
>> ”Native Clients MUST only register redirect_uris using custom URI schemes
>> or URLs using the http: scheme with localhost as the hostname. "
>>
>> Now this conflicts with what is said in https://tools.ietf.org/id/draf
>> t-ietf-oauth-native-apps-09.html
>> where in section 7 it lists these redirect URI options:
>> 7.1 Custom URI
>> 7.2 HTTPS
>> 7.3 loopback aka HTTP://127.0.0.1
>>
>> Furthermore in 8.6 it says about the use of loopback URI:
>> "While redirect URIs using localhost (i.e.  http://localhost:{port}/)
>> function similarly to loopback IP redirects described in Section 7.3, the
>> use of localhost is NOT RECOMMENDED. "
>>
>> -- Roland
>> "Education is the path from cocky ignorance to miserable uncertainty.” -
>> Mark Twain
>>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170321/327aee94/attachment-0001.html>


More information about the Openid-specs-ab mailing list