[Openid-specs-ab] Safe response_type for use with form_post response mode
n-sakimura
n-sakimura at nri.co.jp
Wed Jun 25 03:16:54 UTC 2014
Just to elaborate on this point a bit more:
OAuth's looser redirect matching is only for query component.
Otherwise, it MUST exactly match.
So, unless the RP does particularly stupid thing like
embedding open redirector using the query parameter,
it is actually fine.
The problem that we often encounter however is that
many IdPs do not implement the redirect uri endpoint as
required by the RFC6749 but allow forward matching,
which is a recipe for disasters.
Nat
(2014/06/25 2:28), John Bradley wrote:
> For OAuth where looser redirect matching is permitted POST may be more secure.
--
Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd.
PLEASE READ:
The information contained in this e-mail is confidential and intended
for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby
notified that any review, dissemination, distribution or duplication of
this message is strictly prohibited. If you have received this message
in error, please notify the sender immediately and delete your copy from
your system.
More information about the Openid-specs-ab
mailing list