[Openid-specs-ab] Question to Google about redirect_uri parameter in authorization request
Breno de Medeiros
breno at google.com
Wed Dec 5 17:22:40 UTC 2012
On Wed, Dec 5, 2012 at 9:13 AM, Brian Campbell
<bcampbell at pingidentity.com> wrote:
> It was not intended as a personal flame and I apologize if it was
> interpreted that way. I was trying to request that you show others
> (myself in particular) the baseline level of respect of taking the
> time to understand a point of view before dismissing it in a terse and
> condescending way. Perhaps some of my frustration with the direction
> of this thread came though in the last message and I'm sorry for that.
Didn't mean to sound condescending but I knew this was an important
issue which I didn't want to get closed with the wrong outcome in my
view, and I couldn't find my notes to argue.
> The thread was originally intended to invoke a larger discussion on
> the security and interoperability considerations of treatment of the
> redirect_uri parameter. Actually, to be honest, I didn't think that
> any discussion was necessary but clearly I was wrong there.
> Clearly we see things differently here. I don't think the way OAuth2
> deals with redirect_uri parameter is so bad and I favor consistency
> between the two very closely related specification suites. If I
> understand correctly, you think it is bad enough to warrant different
> treatment of the same condition at the Connect layer. We disagree and
> I don't believe either view is demonstratively correct so I defer to
> the WG and editors to decide.
So one rationale for making it required is that you can't safely
support registration of multiple redirect_uri values otherwise. I hope
Tim's example was clear, but it works like this.
1. In step #1, developer registers a redirect_uri and launches a
service where the login is optional.
2. In step #2, developer decides to launch service on another uri
(maybe it's an experimental endpoint where they are trying new
3. In step #3, developer registers a second redirect_uri and causes a
global login service outage.
4. In step #4, developer has to go and plumb the redirect_uri
everywhere where they coded a request w/o it.
I don't think we can support multiple redirect_uri registration _and_
simultaneously make redirect_uri parameter optional while making the
spec hostile to implementors.
More information about the Openid-specs-ab