[Openid-specs-ab] Native apps redirect_uri scheme

Nat Sakimura sakimura at gmail.com
Tue Mar 21 20:14:37 UTC 2017


+1 to just referencing the BCP.

On Wed, Mar 22, 2017, 3:54 AM William Denniss via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> On Tue, Mar 21, 2017 at 12:48 PM, Filip Skokan <panva.ip at gmail.com> wrote:
>
>
> *William: I think the main point is that there needs to be a distinction
> between *public* and *confidential* clients, but that using the redirect
> URI to determine this is a bad idea.*
> > client property application_type with values "native" and "web" seems to
> be the connect way of distinguishing between public and confidential
> clients.
>
>
> I agree.
>
>
>
> Furthermore in 8.7/7.1 > *For Custom URI scheme based redirects,
> authorization servers SHOULD enforce the requirement in Section 7.1 that
> clients use reverse domain name based schemes. At a minimum, any scheme
> that doesn't contain a period character ("."), SHOULD be rejected.*
>
>
> Yes. Such schemes violate RFC7595 for private-use URI schemes and are
> susceptible to collisions.
>
> Should the Connect spec simply reference the BCP for these guidelines once
> it's published I wonder?  That way we can also revise the BCP if the native
> app landscape changes over time (as it has here) without needing to modify
> the Connect spec.
>
> While waiting for native apps to finalized and thus enabled as best
> practice by default in node oidc-provider the developers can choose to
> enable it as an experimental feature, this changes the way
> application_type=native clients' redirect_uris member are validated, here's
> the difference
> <https://github.com/panva/node-oidc-provider/blob/85f1480/lib/helpers/client_schema.js#L450-L477>.
> Special handling was also necessary to allow a dynamic port to provided for
> Loopback URI Redirection.
>
>
> That was a great change Filip :) I used your provider to validate the
> Dynamic Client Registration support in AppAuth.
>
>
>
> Best,
> *Filip Skokan*
>
> On Tue, Mar 21, 2017 at 7:00 PM, Mike Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> Can you please file an issue at
> https://bitbucket.org/openid/connect/issues?status=new&status=open under
> the Errata milestone proposing specific textual edits to apply?
>
>
>
>                                                           Thanks,
>
>                                                           -- Mike
>
>
>
> *From:* Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] *On
> Behalf Of *William Denniss via Openid-specs-ab
> *Sent:* Tuesday, March 21, 2017 10:46 AM
> *To:* Roland Hedberg <roland at catalogix.se>
> *Cc:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] Native apps redirect_uri scheme
>
>
>
> +1 to include HTTPS support.  I think the main point is that there needs
> to be a distinction between *public* and *confidential* clients, but that
> using the redirect URI to determine this is a bad idea.
>
>
>
> Regarding localhost vs loopback IP literal:
>
>
>
> The Native Apps draft recommends using loopback IP literals over
> localhost, as they are slightly superior.  By default, 127.0.0.1 will
> strictly receive local traffic only – a desirable security property. It's
> also immune to hostname resolution issues (it's possible to break localhost
> resolution).
>
>
>
> In my testing with .NET on Windows 10, opening a HTTP listener on "
> http://localhost" opened a socket on all network interfaces and triggered
> a firewall dialog – while listening on "http://127.0.0.1" did neither.
> I'm sure it's possible to configure which network interfaces to use with
> "localhost", but what I like about 127.0.0.1 is that you don't have to
> worry about that.
>
>
>
> Since both are simple static constants – and one is better – I recommend
> the IP literal.
>
>
>
> On Tue, Mar 21, 2017 at 9:59 AM, Roland Hedberg via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> Hi!
>
> There is a thing we probably have to issue an errata for in the OIDC
> cleint registration document.
>
> This is the case:
>
> — In http://openid.net/specs/openid-connect-registration-1_0.html it says
> in the text about
> application_type:
>
> ”Native Clients MUST only register redirect_uris using custom URI schemes
> or URLs using the http: scheme with localhost as the hostname. "
>
> Now this conflicts with what is said in
> https://tools.ietf.org/id/draft-ietf-oauth-native-apps-09.html
> where in section 7 it lists these redirect URI options:
> 7.1 Custom URI
> 7.2 HTTPS
> 7.3 loopback aka HTTP://127.0.0.1
>
> Furthermore in 8.6 it says about the use of loopback URI:
> "While redirect URIs using localhost (i.e.  http://localhost:{port}/)
> function similarly to loopback IP redirects described in Section 7.3, the
> use of localhost is NOT RECOMMENDED. "
>
> -- Roland
> "Education is the path from cocky ignorance to miserable uncertainty.” -
> Mark Twain
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170321/fa28ca39/attachment.html>


More information about the Openid-specs-ab mailing list