[Openid-specs-ab] redirect_uri matching clarification

Anganes, Amanda L aanganes at mitre.org
Thu May 17 16:01:06 UTC 2012


A few developers here have asked questions about the connection between sections 2.3.1 and 3.1.1 with regard to redirect_uri matching.

2.3.1, Authorization Request: "Scheme, Host, and Path segments of this URI MUST match one of the redirect_uris registered for the client_id in the OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration] specification."

3.1.1, Token Request: "The Authorization Server MUST: ... Ensure that the redirect_uri parameter is present if the redirect_uri parameter was included in the initial Authorization Request and that their values are identical."

Pulling out these two sections and placing them side by side, these developers have been confused as to why there are two different requirements. Does "identical" in 3.1.1 mean the two strings must be exactly the same, or does it refer to the scheme, host, and path matching indicated in 2.3.1?

Taking the whole document into consideration, it makes sense why these two requirements are different - query parameters can be passed in the Authorization Request redirect_uri, and that URI should still be able to be matched against the registered URIs. Thus it makes sense to check scheme, host, and path only. The Token Request should use the exact same redirect_uri as used in the Authorization Request, including query parameters, so the two values should be identical strings.

The wording in the spec is correct, but I think it would benefit from some more explanation to call out the difference between the checks done at the two endpoints. I can suggest text if others agree that this is worth clarifying.

Amanda Anganes
Info Sys Engineer, G061
The MITRE Corporation
782-271-3103
aanganes at mitre.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120517/3598ed56/attachment.html>


More information about the Openid-specs-ab mailing list