[Openid-specs-ab] Question to Google about redirect_uri parameter in authorization request

Breno de Medeiros breno at google.com
Wed Dec 5 16:18:39 UTC 2012

I don't think I have ever written a blog post on the evils of corporate
America. What I said about OAuth2 interoperability is an objective fact
which is not particularly harmful for OAuth2 in general but an issue for
OIDC in particular.

There is enough ambiguity in how OAuth2 deals with redirect_uri  parameter
to be a severe impediment to interoperability and a security risk. If we
wish to have a larger discussion on the issue in general I guess this is a
request that I do so disguised as a personal flame.
On Dec 5, 2012 8:08 AM, "Brian Campbell" <bcampbell at pingidentity.com> wrote:

> On Tue, Dec 4, 2012 at 5:41 PM, Breno de Medeiros <breno at google.com>
> wrote:
> >
> > It's my reading of the OAuth2 spec that servers shouldn't break if
> > passed a redirect_uri on the authorization step.
> Sure but that's not at all what I was talking about. It's fine to
> disagree here but please take the time to try understand what is being
> said before being condescendingly dismissive of it. Justin followed
> the reasoning (thanks BTW Justin) so I don't think it's too much to
> ask or that I've been particularly unclear.
> > OTOH OAuth2 is an
> > spec with 'loose' interoperability targets. And that's ultimately the
> > motivation why OIDC needs often to go beyond OAuth2 specifications.
> > You don't have interoperability with OAuth2.
> Please spare that hyperbole for personal blog posts attacking the
> evils of big corporate America. It's a crutch argument that's largely
> untrue and any interoperability problems that OAuth 2 might suffer are
> certainly not due to the conditional optionality of one request
> parameter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121205/a347e235/attachment.html>

More information about the Openid-specs-ab mailing list