[Openid-specs-ab] Additional issues with redirect

Breno de Medeiros breno at google.com
Sat May 19 00:17:20 UTC 2012


On Fri, May 18, 2012 at 5:13 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> The current connect text follows this from the OAuth spec
>
>    If requiring the
>    registration of the complete redirection URI is not possible,

It's our belief that this is possible. So we are not departing from
the spec in this reading. Given the spec text, it is certainly NOT
safe to assume that clients MAY add arbitrary parameters to redirect
URIs and expect interoperability.

> the
>    authorization server SHOULD require the registration of the URI
>    scheme, authority, and path (allowing the client to dynamically vary
>    only the query component of the redirection URI when requesting
>    authorization).
>    The authorization server MAY allow the client to register multiple
>    redirection endpoints.
>
>
> So should the Connect spec take the more strict approach of forcing an exact
> match including any query parameters.
>
> If matching up to the query parameters only works with some IdP then we will
> have no end of interop issues.
>
> If you force exact matching  at the authz server why require the
> redirect_uri at the token endpoint?
>
> John B.
>
>
> On 2012-05-18, at 7:43 PM, Breno de Medeiros wrote:
>
> On Fri, May 18, 2012 at 2:41 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>
> Justin,
>
>
> What is your interpretation opt OAuth where:
>
> 1: the client registers multiple redirect_uri.
>
> 2: The client senda a redirect_uri in authz request with query paramaters.
>
> 3: The authz server matches the redirect URI with one of the registered ones
> up to the query string.
>
> 4: The client makes a request to the token endpoint without a redirect_uri
>
>
> Is this fine or an error.
>
>
> My reading of the OAuth Draft implies that this should return an error.
>
>
> Though from a security point of view the authz server matching the first
> time should be sufficient.
>
>
> Thoughts?
>
>
> This is needs to be clear for interop.  If a client only registers one
> redirect_uri and simply sends a redirect_uri in the request to maintain some
> state in a query parameter,  should it be forced to remember that parameter
> and sent it in the request to the token endpoint?
>
>
> There is no guarantee that adding a query parameter to a registered
> URI will work. The Google authorization server rejects all
> redirect_uris that don't match registered values, and compares them
> exactly. Adding a query parameter to a redirect_uri will cause Google
> to invalidate the request. That's fully compatible with OAuth2. That's
> why OAuth2 defines a state parameter. The state parameter is not part
> of the request to the token endpoint.
>
>
> John B.
>
> _______________________________________________
>
> Openid-specs-ab mailing list
>
> Openid-specs-ab at lists.openid.net
>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
>
>
> --
> --Breno
>
>



-- 
--Breno


More information about the Openid-specs-ab mailing list