IETF Logo Mail Archive

[OAUTH-WG] Redirection URI and Implicit grant

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 15 June 2011 19:38 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F89421F8673 for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 12:38:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.519
X-Spam-Level:
X-Spam-Status: No, score=-2.519 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5o8Ske9e2j4w for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 12:38:21 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 30AA721F866B for <oauth@ietf.org>; Wed, 15 Jun 2011 12:38:21 -0700 (PDT)
Received: (qmail 7635 invoked from network); 15 Jun 2011 19:38:16 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 15 Jun 2011 19:38:16 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Wed, 15 Jun 2011 12:38:15 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Date: Wed, 15 Jun 2011 12:37:54 -0700
Thread-Topic: Redirection URI and Implicit grant
Thread-Index: AcwrkXd5SBig2F1wTQuL6ojuGIKt8w==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234475E986B71@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234475E986B71P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: [OAUTH-WG] Redirection URI and Implicit grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 19:38:23 -0000

This is coming from recent experience building a full web service and multiple clients using OAuth 2.0. I am going to make these changes to my own implementation and would like to raise the questions here and discuss possible changes.

A few questions:

1. Why not require the registration of a redirection URI for implicit grant requests, removing the redirect_uri parameter completely from the request (the client can still use the state parameter)?

2. What is the value of the client_id when a redirection URI is not pre-registered? The client identity cannot be verified without other means for the purpose of informing the user who is asking for access, no refresh token is issued, and the redirect_uri parameter contains the only useful information for both the flow and identifying the client (to the extent it can be trusted not to be an open redirector).

3. Are there real use cases for performing redirection URI matching against a pre-registered value, where partial (i.e. not string) comparison is needed? Why can't this be solved by simply using any URI variations into the state parameter?

Changes I would like to see:

The implicit grant should be split into 2 flavors (can be given different grant type name or just using normative language to define the restrictions), one with client_id and state, and one with redirect_uri only.

Registered client: the client request token response type by including its client identifier and optional state parameter. No redirect_uri is allowed. The authorization server will be able to inform the user about the client identity, where the token will be sent (the domain of the registered URI, if the server can verify if the endpoint is not an open redirector), and prevent others from hijacking the client identifier for their own application. The exception is when using custom URI schemes which other applications can hijack on the local operating system (but that's the least of our concern if a native application is doing bad things).

Unregistered client: the client request token response type by including a redirection URI (no client_id or state). The authorization server may require registration of the redirection URI for the purpose of accepting terms of service, but not issue an client identifier which is useless without a registered redirection URI. This way, the operator of example.com can go to the authorization server and ask to enable issuing tokens to requests with callbacks at example.com, in case the authorization server requires some legal contracts before sharing data.

EHL

v2.23.0 | Report a Bug | By Email