[OAUTH-WG] PAR error for redirect URI?

Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Thu, 03 December 2020 11:49 UTC

Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7B0573A07B3 for <oauth@ietfa.amsl.com>; Thu, 3 Dec 2020 03:49:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id A4HiOBFCU6Zj for <oauth@ietfa.amsl.com>; Thu, 3 Dec 2020 03:49:27 -0800 (PST)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C2873A0769 for <oauth@ietf.org>; Thu, 3 Dec 2020 03:49:27 -0800 (PST)
Received: by mail-lf1-x135.google.com with SMTP id u18so2260469lfd.9 for <oauth@ietf.org>; Thu, 03 Dec 2020 03:49:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=aEmswWxW8lZW9BgkupyraOZtjFRYupq1YMH/JQgEghQ=; b=aHzmP47CJpCbRHfXrqZpwP2TL/Tss3yBVliV9zV0bgggGp2GIXdeQDQyMn8ds/lf30 lhIAlJdWfH+YoOQxGuMxHoy47lJ0HITQp0gdcWhZiZyG5pPPamKpMhhRKJ2NnnStbjSL WZkwKu51Lg+HJSkwKnRpopUfRQXWCLiwg7DmzAja0m3N2tSqmeMtCrmWzMbAMB4hg/Rb UPHrxp2C3gwO5Kbu+O1/qT8FZBq2zX5/NJNODHruc36KzVXPI8hdZ0bmLNM+6ptdfBrx NCS7awGP/XqCa/B/N/rmUnpqkgDnXFrAoEPe4AIl0dVIqiYdNXh2PCbSBty45AQxPvIb aD7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=aEmswWxW8lZW9BgkupyraOZtjFRYupq1YMH/JQgEghQ=; b=WAhtccv4cpHSrYQxvtW1QDoOvdGNQ353K6YS76tpD/oCm+1i/lscoIa7N9GvnvufKM 63W8MkCFVH7QOODAPPcJTkjqPY8pAPHA/Cq9Nux9UyD4+7KJsXQbZ5b7OTc3mOF5LIx6 HsW6l8Rc7jxyF47D2Ek3znHZbiMsk3bcmB850IJErITBUE+xSBbM9ypBv3BObfaxziGZ qdeIQTmNcZttFFzYTMTR0YMWJrMkFXv8quxby2Fa2b8Cy0EfcUxYM6yjNxm1Y8PRgoBW Oy4PprYszQr7kCZfx5OBFFvvB8vwYwVyHuiFlfNhjQ0ELRHWZCy2vphqIanjJNSuvJB0 CZLQ==
X-Gm-Message-State: AOAM531yvcEHK2Q2hF8WeRdOs1hNKouLoJkdG4O8bBBNaHtZa7EoXs6h s38hikC9r6gce8IVKOQVUGwHLBsYZUnTf4cdL7M=
X-Google-Smtp-Source: ABdhPJy0nxgNEMA3qX8g18kEXTW+lHwoTmkDX4pdCwsitNXJF6YIG6/zdpky/6ASCgphJIZ6X9HkkZq90U0fuf0ObYI=
X-Received: by 2002:a19:8405:: with SMTP id g5mr1193434lfd.360.1606996165193; Thu, 03 Dec 2020 03:49:25 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a19:4c5:0:0:0:0:0 with HTTP; Thu, 3 Dec 2020 03:49:24 -0800 (PST)
In-Reply-To: <CALAqi_9ewvmUUJNzXMU2JUU9eSVwwjGQMe7mCva=WFrA1JME9g@mail.gmail.com>
References: <CA+k3eCQitAWnHaw2zz0jwyjHxWPYe0VPct1Op1T13BVhydkXDQ@mail.gmail.com> <CALAqi__ncGQgbunhunmaCrtUsAe-v+HnLWZM2Ca5VWarUr2Y=w@mail.gmail.com> <CDA006E7-8D4F-49AF-9C68-3BCEEFCFA687@lodderstedt.net> <CALAqi_9ewvmUUJNzXMU2JUU9eSVwwjGQMe7mCva=WFrA1JME9g@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Thu, 03 Dec 2020 06:49:24 -0500
Message-ID: <CADNypP9VniF0SBDSo+ZvwX7kYcmn_H6Vv2LvRZiwZwADG1Foxw@mail.gmail.com>
To: Filip Skokan <panva.ip@gmail.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000094f3d105b58df3b7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8AVR6cx0N-_tgrpxtfy2Wrmtsu8>
Subject: [OAUTH-WG] PAR error for redirect URI?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 11:49:30 -0000

Torsten, Filip,

You can absolutely make this change, as we are still very early in the
So feel free to continue this effort and try to get WG agreement on this,
and update the document as needed.


On Thursday, December 3, 2020, Filip Skokan <panva.ip@gmail.com> wrote:

> To be clear, I'm not advocating to skip the registration, just wanted to
> mention a potential concern. If the process allows it and it will not
> introduce more delay to publication, I think we should go ahead and
> register the error code.
> Best,
> *Filip*
> On Thu, 3 Dec 2020 at 11:06, Torsten Lodderstedt <torsten@lodderstedt.net>
> wrote:
>> > Am 03.12.2020 um 09:56 schrieb Filip Skokan <panva.ip@gmail.com>:
>> >
>> > There are several documents already mentioning "invalid_redirect_uri"
>> as an error code, specifically RFC7519 and OpenID Connect Dynamic Client
>> Registration 1.0. But these don't register it in the IANA OAuth Extensions
>> Error Registry, presumably because they're neither for the authorization or
>> token endpoints.
>> >
>> > While I think it'd be great if we had this error code registered, I
>> also worry that its registration could confuse implementers to think it's
>> okay to return it from the authorization endpoint.
>> I understand your concern. On the other hand, registering the error code
>> is in my opinion the proper way forward. The registration is scoped to a
>> usage location, should be pushed authorization endpoint then, and RFC6749
>> gives clear guidance on how to treat errors related to the redirect URI at
>> the authorization endpoint.
>> "If the request fails due to a missing, invalid, or mismatching
>>    redirection URI, … authorization server ... MUST NOT automatically
>> redirect the user-agent to the
>>    invalid redirection URI."
>> I think if an implementor ignores this, it will ignore any advise.
>> best regards,
>> Torsten.
>> >
>> > Best,
>> > Filip
>> >
>> >
>> > On Thu, 3 Dec 2020 at 00:29, Brian Campbell <bcampbell=
>> 40pingidentity.com@dmarc.ietf.org> wrote:
>> > During the course of a recent OIDF FAPI WG discussion (the FAPI
>> profiles use PAR for authz requests) on this issue it was noted that
>> there's no specific error code for problems with the redirect_uri (the
>> example in https://www.ietf.org/archive/id/draft-ietf-oauth-par-04.html
>> #section-2.3 even shows a general error code with mention of the
>> redirect_uri not being valid in the error description). Some folks on that
>> call thought it would be worthwhile to have a more specific error code for
>> an invalid redirect_uri and I reluctantly took an action item to raise the
>> issue here. At the time I'd forgotten that PAR had already passed WGLC. But
>> it's been sitting idle while awaiting the shepherd writeup since mid
>> September so it's maybe realistic to think the window for a small change is
>> still open.
>> >
>> > Presumably nothing like an "invalid_redirect_uri" error code was
>> defined in RFC 6749 because that class of errors could not be returned to
>> the client via redirection. But the data flow in PAR would allow for a
>> "invalid_redirect_uri" so it's not an unreasonable thing to do.
>> >
>> > As I write this message, however, I'm not personally convinced that
>> it's worth making a change to PAR at this point. But I did say I'd bring
>> the question up in the WG list and I'm just trying to be true to my word.
>> So here it is. Please weigh in, if you have opinions on the matter.
>> >
>> >
>> >
>> > CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you._______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.google.com/url?q=https://www.ietf.org/mailman/li
>> stinfo/oauth&source=gmail-imap&ust=1607590629000000&usg=AOvV
>> aw3aW1gdv4EEiLmNYzlsJj-A