Re: [OAUTH-WG] Strict equality matching of redirect_uri

Brian Eaton <> Mon, 17 May 2010 17:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A4B5A3A69D8 for <>; Mon, 17 May 2010 10:49:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -104.468
X-Spam-Status: No, score=-104.468 tagged_above=-999 required=5 tests=[AWL=-1.091, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MOQ3sOzQV+ra for <>; Mon, 17 May 2010 10:49:43 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 88D9B3A68DC for <>; Mon, 17 May 2010 10:49:43 -0700 (PDT)
Received: from ( []) by with ESMTP id o4HHnYvf009258 for <>; Mon, 17 May 2010 10:49:34 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; s=beta; t=1274118575; bh=uUaqrYdteQPYqK3+wbQMyv/CHvw=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=Q+/YXXnErd+IREYTV0yY728uaJQrJAaT0lF0E4oPsVFMObDAI4K+Ac7dLsGdvSbPx 9tD+2mSjnjMKy40FBhNUw==
DomainKey-Signature: a=rsa-sha1; s=beta;; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=ZsihNcXbUVG9lW+oTH9C0K+b6qu8LociRxiGx7u8TYWnfkjf9A/RhoXclR84dfJ26 1iBI3XRQjAuS92YSLcKAA==
Received: from pxi8 ( []) by with ESMTP id o4HHnA5G005885 for <>; Mon, 17 May 2010 10:49:33 -0700
Received: by pxi8 with SMTP id 8so2375260pxi.16 for <>; Mon, 17 May 2010 10:49:33 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id y19mr3656951wfi.259.1274118573314; Mon, 17 May 2010 10:49:33 -0700 (PDT)
Received: by with HTTP; Mon, 17 May 2010 10:49:33 -0700 (PDT)
In-Reply-To: <>
References: <> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E24@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E37@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <> <> <> <>
Date: Mon, 17 May 2010 10:49:33 -0700
Message-ID: <>
From: Brian Eaton <>
To: Dick Hardt <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "OAuth WG \(\)" <>
Subject: Re: [OAUTH-WG] Strict equality matching of redirect_uri
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 May 2010 17:49:44 -0000

On Sun, May 16, 2010 at 11:20 AM, Dick Hardt <> wrote:
> If the matching is left to an arbitrary, server defined algorithm, we lose
> interop since a client implementation may make assumptions on what may be
> allowed in the redirect_uri at one AS and then not be able to work with
> another AS that is more restrictive.
> As this is a security feature, I'd like to hear the options from the
> security oriented participants with experience here.
> Allen / Brian?

We can do a session at IIW on this if people want.  There are a few
different use-cases to consider:

- installed applications using the js profile or the web app profile
   It doesn't matter what you do, you can't authenticate the installed
application.  My recommendation here is to do something like what
we've done with OAuth for installed apps [1].

- registered web apps with a secure client-secret
  You can allow *any* callback URL on the redirect.
  The callback URL is authenticated using the client-secret.
  We should all do strict equality matching when exchanging the
verification code for refresh token and access token.

- js profile, or web app profile where you don't completely trust the
registration or the security of the client-secret
  We've got lots of service-provider specific behavior here.
Unfortunately most service providers don't seem to be willing to
change (or in some cases even document) what they are doing.  So we're
doomed unless we can get consensus from service providers that there
needs to be consensus. =)

Logic I've seen includes:
- regular expressions
- any callback URL on the fully-qualified hostname
- any callback URL on a domain name.
- fixed callback URL path, arbitrary callback URL query
- fixed callback URL path, fixed callback URL query, one query
parameter (wrap_state, or whatever we called it =) allowed to vary
- any callback URL path under a particular directory

I tried to summarize the risks in the security considerations I wrote
up a few weeks ago.  Check out the section on "Authentication
Techniques" and "Web App Delegation Profile - Security