Re: [OAUTH-WG] requirement of redirect_uri in access token requests
Brian Eaton <beaton@google.com> Sat, 30 April 2011 21:29 UTC
Return-Path: <beaton@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10B07E06E6 for <oauth@ietfa.amsl.com>; Sat, 30 Apr 2011 14:29:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8vh0lPUfqMWp for <oauth@ietfa.amsl.com>; Sat, 30 Apr 2011 14:29:34 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by ietfa.amsl.com (Postfix) with ESMTP id 508B3E0694 for <oauth@ietf.org>; Sat, 30 Apr 2011 14:29:34 -0700 (PDT)
Received: from kpbe18.cbf.corp.google.com (kpbe18.cbf.corp.google.com [172.25.105.82]) by smtp-out.google.com with ESMTP id p3ULTXsi015428 for <oauth@ietf.org>; Sat, 30 Apr 2011 14:29:33 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1304198973; bh=woFMEnpXf9/s27jsp37AWi1EpdE=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=bgESEvWD1oeuh52zCXW9oDIAQ261kr5iEOuSVO8mY98jO6O6JwQ/s5xdgpXhIutC+ pwDeKYyX0UF7qS0T9s6Ww==
Received: from pvc30 (pvc30.prod.google.com [10.241.209.158]) by kpbe18.cbf.corp.google.com with ESMTP id p3ULTVXc026371 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Sat, 30 Apr 2011 14:29:32 -0700
Received: by pvc30 with SMTP id 30so3137308pvc.20 for <oauth@ietf.org>; Sat, 30 Apr 2011 14:29:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ZYcumefw/7S/tXP9tNAOuSqPa9mXwjZC8R7p2ttxHKA=; b=kkKksefqnCTXfU3LOTKqR3HpqTg2GFhfA1wBfhbgkS7GCkJCaorcChn1ov8iDfXj7i x3ok4Y3hn14Kg1gWUwUw==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=B7meJWGM8QaCdal/TvtXyJEZ1bgRAXBBxTZyHtP/BOVSMYCBJd/h1rFJy/Sa5cg/pL /50MJOUfuLJEoGV8t6QQ==
MIME-Version: 1.0
Received: by 10.142.128.21 with SMTP id a21mr2549096wfd.38.1304198969644; Sat, 30 Apr 2011 14:29:29 -0700 (PDT)
Received: by 10.142.14.2 with HTTP; Sat, 30 Apr 2011 14:29:29 -0700 (PDT)
In-Reply-To: <BANLkTinLODGc4sK+pwg9iLqMHkakj-vYNg@mail.gmail.com>
References: <BANLkTinLODGc4sK+pwg9iLqMHkakj-vYNg@mail.gmail.com>
Date: Sat, 30 Apr 2011 14:29:29 -0700
Message-ID: <BANLkTi=HKhPnxRpqg6XyqCG0pePg3CVs9A@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Doug Tangren <d.tangren@gmail.com>
Content-Type: multipart/alternative; boundary="000e0cd331d44d589a04a2297c68"
X-System-Of-Record: true
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] requirement of redirect_uri in access token requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Apr 2011 21:29:35 -0000
On Fri, Apr 29, 2011 at 11:21 AM, Doug Tangren <d.tangren@gmail.com> wrote: > Is this required or not? In the example > http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-3.1 it's listed > in the example but not itemized as optional or required. It's not in the > example for refreshing tokens > http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-6 though that > section links back to section 3.1 which does use a redirect_uri in the > example. > > Should the redirect_uri be a requirement for client authentication or is it > optional? > It should be required when exchanging an authorization code for a refresh token. This provides a defense against authorization codes which have leaked due to open redirectors. It should not be present under other circumstances.
- [OAUTH-WG] requirement of redirect_uri in access … Doug Tangren
- Re: [OAUTH-WG] requirement of redirect_uri in acc… Brian Eaton
- Re: [OAUTH-WG] requirement of redirect_uri in acc… Freeman, Tim
- Re: [OAUTH-WG] requirement of redirect_uri in acc… Brian Eaton