[Openid-specs-ab] WGLC for candidate OpenID Connect errata correction drafts

Nat Sakimura nat at nat.consulting
Fri Oct 27 05:10:40 UTC 2023 

Thanks. You can still file these comments during the public review period.

On Fri, 27 Oct 2023 at 02:41, Tom Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

>  In general I like this wording.
>
> Sorry I don't have the time to check, but it needs to be clear that url
> matching includes the port number.
>
> ..tom
>
>
> On Thu, Oct 26, 2023 at 10:32 AM Michael Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> Looking at this again, I now believe that the right addition is:
>>
>>
>>
>> redirect_uri
>>
>> REQUIRED. Redirection URI to which the response will be sent. This URI
>> MUST exactly match one of the Redirection URI values for the Client
>> pre-registered at the OpenID Provider, with the matching performed as
>> described in Section 6.2.1 of [RFC3986]
>> <https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986>
>> (Simple String Comparison). When using this flow, the Redirection URI
>> SHOULD use the https scheme; however, it MAY use the http scheme,
>> provided that the Client Type is confidential, as defined in Section 2.1
>> of OAuth 2.0, and provided the OP allows the use of http Redirection
>> URIs in this case. Also, if the Client is a native application, it MAY
>> use the http scheme with localhost or the IP loopback literals 127.0.0.1
>> or [::1] as the hostname. The Redirection URI MAY use an alternate
>> scheme, such as one that is intended to identify a callback into a native
>> application.
>>
>>
>>
>> Please confirm.
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Vladimir Dzhuvinov <vladimir at connect2id.com>
>> *Sent:* Thursday, October 26, 2023 8:00 AM
>> *To:* Michael Jones <michael_b_jones at hotmail.com>; Artifact
>> Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
>> *Subject:* Re: [Openid-specs-ab] WGLC for candidate OpenID Connect
>> errata correction drafts
>>
>>
>>
>> Thanks Mike. This change should do it to align the OIDC code flow
>> redirect_uri with the rest of the updated specs.
>>
>> Vladimir Dzhuvinov
>>
>>
>>
>> On 26/10/2023 17:38, Michael Jones wrote:
>>
>> Thanks for catching this, Vladimir.
>>
>>
>>
>> Is this the kind of wording you were looking for at
>> https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest ?
>>
>>
>>
>> redirect_uri
>>
>> REQUIRED. Redirection URI to which the response will be sent. This URI
>> MUST exactly match one of the Redirection URI values for the Client
>> pre-registered at the OpenID Provider, with the matching performed as
>> described in Section 6.2.1 of [RFC3986]
>> <https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986>
>> (Simple String Comparison). When using this flow, the Redirection URI
>> SHOULD use the https scheme; however, it MAY use the http scheme,
>> provided that the Client Type is confidential, as defined in Section 2.1
>> of OAuth 2.0, and provided the OP allows the use of http Redirection
>> URIs in this case. It MAY also use the http scheme with localhost or the
>> IP loopback literals 127.0.0.1 or [::1] as the hostname. The Redirection
>> URI MAY use an alternate scheme, such as one that is intended to identify a
>> callback into a native application.
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net>
>> <openid-specs-ab-bounces at lists.openid.net> *On Behalf Of *Vladimir
>> Dzhuvinov via Openid-specs-ab
>> *Sent:* Thursday, October 26, 2023 4:10 AM
>> *To:* openid-specs-ab at lists.openid.net
>> *Cc:* Vladimir Dzhuvinov <vladimir at connect2id.com>
>> <vladimir at connect2id.com>
>> *Subject:* Re: [Openid-specs-ab] WGLC for candidate OpenID Connect
>> errata correction drafts
>>
>>
>>
>> Regarding
>>
>> Fixed #2026: Clarified description of loopback hostnames for native
>> applications.
>>
>> I noticed that in OIDC Core the change was applied to the implicit flow
>> and the code flow section not changed.
>>
>> https://bitbucket.org/openid/connect/pull-requests/620
>>
>>
>> https://openid.net/specs/openid-connect-core-1_0-33.html#ImplicitAuthRequest
>>
>> redirect_uri
>>
>> REQUIRED. Redirection URI to which the response will be sent. This URI
>> MUST exactly match one of the Redirection URI values for the Client
>> pre-registered at the OpenID Provider, with the matching performed as
>> described in Section 6.2.1 of [RFC3986]
>> <https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986>
>> (Simple String Comparison). When using this flow, the Redirection URI MUST
>> NOT use the http scheme unless the Client is a native application, in
>> which case it MAY use the http scheme with localhost or the IP loopback
>> literals 127.0.0.1 or [::1] as the hostname.
>>
>>
>>
>> I was expecting that this errata would apply to the code flow as well,
>> and that the redirect_uri spec here will be aligned with the updated
>> application_type spec in OIDC Dynamic Client Registration. I think this is
>> crucial, developers today are typically concerned with the code flow.
>>
>>
>>
>> https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest
>>
>> redirect_uri
>>
>> REQUIRED. Redirection URI to which the response will be sent. This URI
>> MUST exactly match one of the Redirection URI values for the Client
>> pre-registered at the OpenID Provider, with the matching performed as
>> described in Section 6.2.1 of [RFC3986]
>> <https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986>
>> (Simple String Comparison). When using this flow, the Redirection URI
>> SHOULD use the https scheme; however, it MAY use the http scheme,
>> provided that the Client Type is confidential, as defined in Section 2.1
>> of OAuth 2.0, and provided the OP allows the use of http Redirection
>> URIs in this case. The Redirection URI MAY use an alternate scheme, such as
>> one that is intended to identify a callback into a native application.
>>
>>
>>
>> Vladimir Dzhuvinov
>>
>>
>>
>> On 22/10/2023 02:26, Michael Jones via Openid-specs-ab wrote:
>>
>> The 45-day foundation-wide review is now under way, as announced at
>> https://openid.net/review-second-proposed-errata-openid-connect-specifications/
>> and https://twitter.com/openid/status/1715869175376396543.
>>
>>
>>
>> Thanks to Mike Leszcz for making the blog post.
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net>
>> <openid-specs-ab-bounces at lists.openid.net> *On Behalf Of *Michael Jones
>> via Openid-specs-ab
>> *Sent:* Monday, October 2, 2023 6:19 PM
>> *To:* openid-specs-ab at lists.openid.net
>> *Cc:* Michael Jones <michael_b_jones at hotmail.com>
>> <michael_b_jones at hotmail.com>
>> *Subject:* [Openid-specs-ab] WGLC for candidate OpenID Connect errata
>> correction drafts
>>
>>
>>
>> This note begins a two-week Working Group Last Call (WGLC) for the
>> candidate errata correction drafts below.  The WGLC concludes as of the
>> working group call on Monday, October 16.
>>
>>
>>
>> Please let us know if you believe that any changes need to be made to
>> these drafts before the Foundation-wide 45-day review for them.  Please
>> identify any proposed changes by filing issues at
>> https://bitbucket.org/openid/connect/issues?status=new&status=open
>> marked with the Errata milestone.
>>
>>
>>
>> This should put us on track to have approved errata drafts published by
>> the second week of December.
>>
>>
>>
>>                                          -- Mike (writing as co-chair)
>>
>>
>>
>> *From:* Michael Jones
>> *Sent:* Sunday, October 1, 2023 12:26 AM
>> *To:* openid-specs-ab at lists.openid.net
>> *Cc:* Gail Hodges <gail at oidf.org>; Mike Leszcz <mike.leszcz at oidf.org>
>> *Subject:* Second candidate OpenID Connect errata correction drafts
>> published
>>
>>
>>
>> I’ve published drafts incorporating all the additional errata corrections
>> that have been approved for the OpenID Connect family of specifications
>> since the first set of candidate drafts were published on August 13th.
>> This puts us on the doorstep of publishing our second errata set for OpenID
>> Connect and for submission to ISO as Publicly Available Specification (PAS)
>> standards.
>>
>>
>>
>> The drafts incorporating the errata corrections are:
>>
>>    1. https://openid.net/specs/openid-connect-core-1_0-33.html
>>    2. https://openid.net/specs/openid-connect-discovery-1_0-36.html
>>    3. https://openid.net/specs/openid-connect-registration-1_0-38.html
>>    4. https://openid.net/specs/openid-connect-backchannel-1_0-12.html
>>
>>
>>
>> The History sections of the specs describe each of the changes made.  If
>> you want to see the precise changes incorporated, I suggest using your
>> favorite HTML-capable diff tool (such as Microsoft Word) and comparing the
>> baseline docs below to the ones above:
>>
>>
>>
>>    1. https://openid.net/specs/openid-connect-core-1_0-errata1.html
>>    2. https://openid.net/specs/openid-connect-discovery-1_0-errata1.html
>>    3.
>>    https://openid.net/specs/openid-connect-registration-1_0-errata1.html
>>    4. https://openid.net/specs/openid-connect-backchannel-1_0-final.html
>>
>>
>>
>> Diffs are also possible for the .txt and .xml versions of the specs; just
>> substitute “html” in the URLs above for “txt” or “xml” and use your
>> favorite diff tool.
>>
>>
>>
>> I plan to ask for working group review of these changes during Monday’s
>> working group call.  Following the working group review, we’ll hold the
>> foundation-wide 45-day proposed errata review and then the approval vote.
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> P.S.  Our two Implementer’s Guides were also updated in parallel to keep
>> them current with the versions incorporating errata corrections.  The
>> corresponding versions are:
>>
>>    1. https://openid.net/specs/openid-connect-basic-1_0-45.html
>>    2. https://openid.net/specs/openid-connect-implicit-1_0-28.html
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> Openid-specs-ab mailing list
>>
>> Openid-specs-ab at lists.openid.net
>>
>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20231027/f96fb215/attachment-0001.html>

More information about the Openid-specs-ab mailing list