[Openid-specs-ab] Question to Google about redirect_uri parameter in authorization request

Tim Bray tbray at textuality.com
Wed Dec 5 17:05:41 UTC 2012


On Wed, Dec 5, 2012 at 8:07 AM, Brian Campbell
<bcampbell at pingidentity.com>wrote:

> > You don't have interoperability with OAuth2.
>
> Please spare that hyperbole for personal blog posts attacking the
> evils of big corporate America. It's a crutch argument that's largely
> untrue and any interoperability problems that OAuth 2 might suffer are
> certainly not due to the conditional optionality of one request
> parameter.
>

Calm down.  It is absolutely the case that OAuth2, for all its virtues,
does not give you interoperability in the sense that “If I protect my
resources in an OAuth2 comformant way and you protect yours in an OAuth2
conformant way, then conformant client software will automatically work
with both.”  That kind of thing is true with HTTP, and with SMTP, and with
lots of other ****P’s, but not remotely OAuth 2.0.  I’m not even sure this
is a problem, OAuth2 gives you a framework that you can build real
interoperable protocols on, which I think OIDC is trying to be.

So, for OIDC, it is very valuable to remove as many as possible variations
and at-the-discretion-of-the-server clauses, if there is to be a reasonable
hope of good interoperability.  Every “if” statement you force on
implementers is a barrier to that.

For example: Send a redirect_uri with your auth request, then you don’t
have to worry about breaking things when someone puts another redirect in
the app registration to do some testing on their laptop. Seems like a
no-brainer to me.

-T



> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121205/d35d0a37/attachment-0001.html>


More information about the Openid-specs-ab mailing list