[Openid-specs-fapi] [Bitbucket] Pull request #42: Part 2: Require redirect_uri to be inside signed request object (openid/fapi)
pullrequests-reply at bitbucket.org
Sun Jan 21 09:57:00 UTC 2018
Joseph Heenan created pull request #42:
Part 2: Require redirect_uri to be inside signed request object<https://bitbucket.org/openid/fapi/pull-requests/42/part-2-require-redirect_uri-to-be-inside>
fixes #128<https://bitbucket.org/openid/fapi/issues/128/redirect_uri-in-url-query-vs-request> (or at least fixes the only part it seems we can current fix)
This should help mitigate any attacks that require changing the redirect_uri.
The redirect_uri appears to still be required as a parameter outside the request object for compliance with the current underlying OAuth RFC (although my personal opinion is that this is not clearly stated in the specifications).
The OIDC Core spec is already clear on behaviour in the case where redirect_uri is present in both location:
"When the request parameter is used, the OpenID Connect request parameter values contained in the JWT supersede those passed using the OAuth 2.0 request syntax."
Author Commit Message Date
[josephheenan] Joseph Heenan cbb9768<https://bitbucket.org/josephheenan/fapi/commits/cbb97689d05ce7407a800870e4b6d907cdfac016> Part 2: Require redirect_uri to be inside signed request object
21 Jan 2018
View this pull request<https://bitbucket.org/openid/fapi/pull-requests/42/part-2-require-redirect_uri-to-be-inside> or add a comment by replying to this email.
Unsubscribe from pull request emails<https://bitbucket.org/openid/fapi/pull-requests/42/unsubscribe/openid/45f9b421bad3d53a207aedcac31f7c480c8119dd/> for this repository. [Bitbucket] <https://bitbucket.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi