<div dir="ltr">I recommend “REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the redirect_uris registered for the client_id, with the matching performed as described in [RFC3986] section 6.2.1”<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 7, 2013 at 11:39 AM, Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">So you’re advocating copying the definition in Messages to Standard and deleting the words “</span><span style="font-family:"Verdana","sans-serif"" lang="EN">the
Scheme, Host, and Path segments of</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">” from Registration, correct? If not, please supply alternative exact wording.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> John Bradley [mailto:<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Friday, June 07, 2013 11:33 AM<br>
<b>To:</b> Tim Bray<br>
<b>Cc:</b> Mike Jones; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a></span></p><div class="im"><br>
<b>Subject:</b> Re: [Openid-specs-ab] Inconsistency in redirect_uri definitions<u></u><u></u></div><p></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Google is comparing them as strings requiring an exact match as I understand it.<u></u><u></u></p><div><div class="h5">
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Anything other than an exact match of the the string of octets is likely to fail with some IdP. It would be nice to do URI to URI comparisons but that tends to have interoperability problems. From a security point of view Standard is
correct and should be copied to the other specs.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">From an interoperability point of view saying it is an exact match of the octets may save a bunch of interoperability issues,.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Pointing to RFC3986 for comparison rules saying we are not doing normalization and will perform a comparison of the UTF8 code-points to be more specific.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">John<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On 2013-06-07, at 7:45 PM, Tim Bray <<a href="mailto:tbray@textuality.com" target="_blank">tbray@textuality.com</a>> wrote:<u></u><u></u></p>
</div>
<p class="MsoNormal"><br>
<br>
<u></u><u></u></p>
<div>
<p class="MsoNormal">When you say “match Standard” you mean referring to the enumeration of scheme/host/path/query, I assume. As opposed to the reference to dynamic client registration? BTW RFC3986 section 6.2 (<a href="http://tools.ietf.org/html/rfc3986#section-6.2" target="_blank">http://tools.ietf.org/html/rfc3986#section-6.2</a>)
has useful material on URI comparison. You could simply refer to 6.2.1 and omit the enumeration.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Fri, Jun 7, 2013 at 10:33 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal">While working on the spelling and grammar check, I noticed the following in redirect_uri definitions. While I hate to bring this up while we’re trying to finish the Implementer’s
Drafts, this is potentially a recall-class issue, so I wanted to raise it now, rather than have it come up later.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Messages, Basic, and Implicit say:<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">
<span style="font-family:"Verdana","sans-serif"" lang="EN">redirect_uri</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1.0in">
<span style="font-family:"Verdana","sans-serif"" lang="EN">REQUIRED. Redirection URI to which the response will be sent. This MUST be pre-registered with the OpenID Provider.
</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Standard says:<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">
<span style="font-family:"Verdana","sans-serif"" lang="EN">redirect_uri</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1.0in">
<span style="font-family:"Verdana","sans-serif"" lang="EN">REQUIRED. Redirection URI to which the response will be sent. The Scheme, Host, Path, and Query Parameter segments of this URI MUST match one of the
</span><tt><span lang="EN">redirect_uris</span></tt><span style="font-family:"Verdana","sans-serif"" lang="EN"> registered for the
</span><tt><span lang="EN">client_id</span></tt><span style="font-family:"Verdana","sans-serif"" lang="EN"> in the OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration] specification.
</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Dynamic Registration says:<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">
<span style="font-family:"Verdana","sans-serif"" lang="EN">redirect_uris</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1.0in">
<span style="font-family:"Verdana","sans-serif"" lang="EN">REQUIRED. Array of redirection URIs values used in the Authorization Code and Implicit grant types. One of these registered redirection URI values MUST match the Scheme, Host, and Path segments of the
</span><span style="font-family:"Courier New";color:#003366" lang="EN">redirect_uri</span><span style="font-family:"Verdana","sans-serif"" lang="EN"> parameter value used in each Authorization Request.
</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Should Messages, Basic, and Implicit be changed to match Standard? That’s my sense of the situation, but wanted to get others’ input before doing so.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> Thanks,<u></u><u></u></p>
<p class="MsoNormal"> -- Mike<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div>
</div>
</blockquote></div><br></div>