IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter

Eliot Lear <lear@cisco.com> Sun, 17 July 2011 09:49 UTC

Return-Path: <lear@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 344CB21F86AE for <oauth@ietfa.amsl.com>; Sun, 17 Jul 2011 02:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.603
X-Spam-Level:
X-Spam-Status: No, score=-110.603 tagged_above=-999 required=5 tests=[AWL=-0.004, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GU2B8-+XLGxy for <oauth@ietfa.amsl.com>; Sun, 17 Jul 2011 02:49:23 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 478C721F869E for <oauth@ietf.org>; Sun, 17 Jul 2011 02:49:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=lear@cisco.com; l=440; q=dns/txt; s=iport; t=1310896163; x=1312105763; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=XEfwaBnSDTGRRUJTnXJ2p3FJAq8lt6S67dbX1ZExn4o=; b=HD0z7TFxbJAYKjGI0zWmsf4stj96SiLIGdigqV8P8eHhwUOPZ6hps5bk L7O/Kv8ZFqBGRry8b9wOlV47j0FlK4PCOW2fbdnlOLufVUca6uZ7Umfl5 cqWICNbW8qsgMV5eL0G3o7wr8bH77Xoxg7f1c98ypCZI+4ixikjdckm0Y g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAOyvIk6Q/khL/2dsb2JhbABShEmjLXetAY0cj3mBK4QCgQ8EkmaQVw
X-IronPort-AV: E=Sophos;i="4.67,217,1309737600"; d="scan'208";a="102747925"
Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-1.cisco.com with ESMTP; 17 Jul 2011 09:49:21 +0000
Received: from ams3-vpn-dhcp5405.cisco.com (ams3-vpn-dhcp5405.cisco.com [10.61.85.28]) by ams-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p6H9nLm6000753; Sun, 17 Jul 2011 09:49:21 GMT
Message-ID: <4E22B021.7080009@cisco.com>
Date: Sun, 17 Jul 2011 11:49:21 +0200
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: Bob Van Zant <bob@veznat.com>
References: <CADrOfLJSd8Z=QfCcGUdFBU314rmjv9-u25Vta+ObXfNAwoA06w@mail.gmail.com>
In-Reply-To: <CADrOfLJSd8Z=QfCcGUdFBU314rmjv9-u25Vta+ObXfNAwoA06w@mail.gmail.com>
X-Enigmail-Version: 1.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jul 2011 09:49:24 -0000

Bob,

Just on this one point:

On 7/15/11 5:35 PM, Bob Van Zant wrote:
> The spec says that the value is opaque and that
> I need to accept, store, and reply with exactly what the client sent
> me. 

Where does it actually require you to "store" the "state" contents
beyond the point where you issue your reply?

One other point: if the redirection_uri can have fragments and can be
provided, why is state necessary?

Eliot

v2.35.0 | Report a Bug | By Email | System Status