<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi Tim,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">To be clear, we’re not allowing OpenID Connect clients to leave out the redirect_uri. The specification still always requires that they be present.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">All this does is allow servers to choose not to treat a missing redirect_uri as an error, since some dual-purpose (Connect and other purposes) OAuth endpoints
want to allow this in the non-Connect case and it avoids special-case error handling for those servers.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">But a Connect client will still be required to include the redirect_uri and will likely fail with most servers (including, I assume, Google’s) if they don’t
include it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Tim Bray [mailto:tbray@textuality.com]
<br>
<b>Sent:</b> Friday, December 07, 2012 7:57 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> Brian Campbell; <openid-specs-ab@lists.openid.net>; Naveen Agarwal<br>
<b>Subject:</b> Re: [Openid-specs-ab] Question to Google about redirect_uri parameter in authorization request<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">For the record, I disagree; It is *extremely* bad practice for an RP to leave out the redirect_uri, increasing the likelihood that your setup will suddenly break one morning because of an unrelated server-side
config change. Altering the spec to allow this misbehavior weakens the interoperability of the standard.
<br>
<br>
But I guess I’m in the minority here. -Tim<o:p></o:p></p>
<div>
<p class="MsoNormal">On Thu, Dec 6, 2012 at 9:44 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">OK – for the purposes of the pending update spec release, I’m going to update the specs to be internally
consistent and require clients to send the redirect_uri value. But I’ll also make it clear that servers may choose not to trigger an error when a request is received without a redirect_uri and there is exactly one registered redirect_uri value. (Credit to
John Bradley for this idea.) That way, conforming clients will always send it but servers that are looser with this behavior for other OAuth requests can continue to be loose in that way with OpenID Connect requests as well.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks all for the good discussion.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -- Mike</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Brian Campbell [mailto:<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>]
<br>
<b>Sent:</b> Thursday, December 06, 2012 2:19 PM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> Breno de Medeiros; <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>>; Naveen Agarwal<br>
<b>Subject:</b> Re: [Openid-specs-ab] Question to Google about redirect_uri parameter in authorization request</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Sorry for the slow response. Responses inline.<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Wed, Dec 5, 2012 at 5:50 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Brian, is the current inconsistency within the Connect specs that you've identified in this sentence in
<a href="http://openid.net/specs/openid-connect-standard-1_0.html#anchor9" target="_blank">
http://openid.net/specs/openid-connect-standard-1_0.html#anchor9</a>: "Ensure that the redirect_uri parameter is present if the redirect_uri parameter was included in the initial Authorization Request and that their values are identical for the Scheme, Host,
Path, and Query Parameter segments"? If the phrase "if the redirect_uri parameter was included in the initial Authorization Request"<span style="color:red"> were deleted</span>, would the Connect specs then be self-consistent, in your view?<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
As far as it's requiredness on the authorization and token requests, I think that would do it (with a little wordsmithing on that statement anyway). Looking at all the places I referenced in the ticket, I thought it was a mistake and I guess I was really
expecting it would be changed to optional. *Sigh* <br>
<br>
<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt">Or are you also concerned that this language in
<a href="http://openid.net/specs/openid-connect-registration-1_0.html#anchor3" target="_blank">
http://openid.net/specs/openid-connect-registration-1_0.html#anchor3</a> would be inconsistent: "redirect_uris - RECOMMENDED for Clients using the code flow with a query parameter encoded response. REQUIRED for Clients requesting implicit flow fragment encoded
responses as defined in OAuth 2.0 [OAuth2.0]. A space-delimited list of redirect URIs. One of the URL MUST match the Scheme, Host, and Path segments of the redirect_uri in the authorization request."? Or do people also believe that registering redirect_uris
should always be REQUIRED?<o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
I don't know the reasoning for having it that way so can't really comment on if registering redirect_uris should always be required. It is maybe a little awkward that it's sort of optional there in registration but text like "The Scheme, Host, Path, and Query
Parameter segments of this URI MUST match one of the <tt><span style="font-size:10.0pt">redirect_uris</span></tt> registered for the
<tt><span style="font-size:10.0pt">client_id</span></tt> in the <a href="http://openid.net/specs/openid-connect-standard-1_0.html#OpenID.Registration" target="_blank">
OpenID Connect Dynamic Client Registration 1.0</a> [OpenID.Registration] specification." from
<a href="http://openid.net/specs/openid-connect-standard-1_0.html#rf_prep" target="_blank">
http://openid.net/specs/openid-connect-standard-1_0.html#rf_prep</a> sort of read as though a client will always have uris registered. That text also could potentially be interpreted as a hard dependency of standard on dynamic registration but maybe I'm being
too nit-picky...<br>
<br>
<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> Thanks all,<br>
-- Mike<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>