Re: [OAUTH-WG] PAR error for redirect URI?

Torsten Lodderstedt <> Thu, 03 December 2020 10:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DE1443A0E13 for <>; Thu, 3 Dec 2020 02:06:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VFcm5KvjE5gl for <>; Thu, 3 Dec 2020 02:06:41 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D158B3A011B for <>; Thu, 3 Dec 2020 02:06:40 -0800 (PST)
Received: by with SMTP id n26so2582648eju.6 for <>; Thu, 03 Dec 2020 02:06:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kLO8+46tAWVR5pH910Eaoso8EHxFm6uYSSorb57ZBdc=; b=vMCsrWOgeSsXwV3/akljUVvrMdOgOcqboy+4CXkwCRuABA8G7j5PgtmPRsM324D155 ZL2CROChrZwDxQJyvyDLF5cxtr7mpo2xhs70b9J2nw3yU47h5eK80V68P32DdCnV4LYB jH3TnhT4FZ4wjKf1Y5jZnmEUPDmTlqy6Lwtqumsnzu9eITLo7SQaN17KTkespDAuvYkH Zvo0y9r8XE2QNkLOq5lPuiV/P59noIRaWouJq6/nJGto7srf3C5J9yYgbAE9vsr+A9H/ EaA3MBMOMPiXMD/7PomXepjYrtXKGVUh1Pbd+I0FNwJymFzHvgW+Jz0ZM0A/u2dByXBQ Bp+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kLO8+46tAWVR5pH910Eaoso8EHxFm6uYSSorb57ZBdc=; b=Nat0ckglyJzGFVX+Udsc68Fptyz3zfZwTsb53ddqSwNQI63zfl1XLln29kbC9ImbMA tE8WwDSaNeLrhE0pbwIOTbT4e3nJcNJvVB3tbLiLs601dWPhya0cU03fWr5XltbRbaLa 3E5FBu+A6hzgdIy3y0sS5Viw9qmSf/zxfgky036nXXdhUVlA3ztrrFPuto8vdepzOD27 BMhqB6VjuRaoZ0nEo2hLtuUPIRjNZZKIeueb/96LNzTK9el1foO0llLbeXawuCe91pud AVuRrfZxHAghJ7cjC0Iwc3hB/ysFeWcnBKCwOsddAMs0oLX0j4Ayegr9kq1upybv+H15 Ufag==
X-Gm-Message-State: AOAM531VGtgAOn3cmyizFzVLh5E9dGxSKi38nvyb5gG7Fzzj/deefLi0 RCedshG6Leq1eyeqrS2BQTVZk2WuiMrdYQ==
X-Google-Smtp-Source: ABdhPJzM/Cz7+9PH25Y5xsofECHoRSFocpir6l5XeEXZn1AIJq5yzycPQZwvlN2RBR3dtRSiHgBPcw==
X-Received: by 2002:a17:906:16da:: with SMTP id t26mr1767634ejd.478.1606989999027; Thu, 03 Dec 2020 02:06:39 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id u3sm471358eje.33.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Dec 2020 02:06:38 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Torsten Lodderstedt <>
In-Reply-To: <>
Date: Thu, 03 Dec 2020 11:06:36 +0100
Cc: Brian Campbell <>, oauth <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Filip Skokan <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [OAUTH-WG] PAR error for redirect URI?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Dec 2020 10:06:43 -0000

> Am 03.12.2020 um 09:56 schrieb Filip Skokan <>:
> There are several documents already mentioning "invalid_redirect_uri" as an error code, specifically RFC7519 and OpenID Connect Dynamic Client Registration 1.0. But these don't register it in the IANA OAuth Extensions Error Registry, presumably because they're neither for the authorization or token endpoints.
> While I think it'd be great if we had this error code registered, I also worry that its registration could confuse implementers to think it's okay to return it from the authorization endpoint.

I understand your concern. On the other hand, registering the error code is in my opinion the proper way forward. The registration is scoped to a usage location, should be pushed authorization endpoint then, and RFC6749 gives clear guidance on how to treat errors related to the redirect URI at the authorization endpoint. 

"If the request fails due to a missing, invalid, or mismatching
   redirection URI, … authorization server ... MUST NOT automatically redirect the user-agent to the
   invalid redirection URI."

I think if an implementor ignores this, it will ignore any advise.

best regards,

> Best,
> Filip
> On Thu, 3 Dec 2020 at 00:29, Brian Campbell <> wrote:
> During the course of a recent OIDF FAPI WG discussion (the FAPI profiles use PAR for authz requests) on this issue it was noted that there's no specific error code for problems with the redirect_uri (the example in even shows a general error code with mention of the redirect_uri not being valid in the error description). Some folks on that call thought it would be worthwhile to have a more specific error code for an invalid redirect_uri and I reluctantly took an action item to raise the issue here. At the time I'd forgotten that PAR had already passed WGLC. But it's been sitting idle while awaiting the shepherd writeup since mid September so it's maybe realistic to think the window for a small change is still open.
> Presumably nothing like an "invalid_redirect_uri" error code was defined in RFC 6749 because that class of errors could not be returned to the client via redirection. But the data flow in PAR would allow for a "invalid_redirect_uri" so it's not an unreasonable thing to do. 
> As I write this message, however, I'm not personally convinced that it's worth making a change to PAR at this point. But I did say I'd bring the question up in the WG list and I'm just trying to be true to my word. So here it is. Please weigh in, if you have opinions on the matter. 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> _______________________________________________
> OAuth mailing list