Re: [OAUTH-WG] Redirect URIs in draft-ietf-oauth-security-topics
Brian Campbell <bcampbell@pingidentity.com> Mon, 11 May 2020 18:45 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 303383A0C19 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 11:45:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DCD6yGgwsFQ for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 11:45:04 -0700 (PDT)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04CC03A0EAF for <oauth@ietf.org>; Mon, 11 May 2020 11:44:12 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id b26so8412825lfa.5 for <oauth@ietf.org>; Mon, 11 May 2020 11:44:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BhWo5RtDaEwoBQZgzxd2EhoeiiZt8r0Mr2xfUq+5IL0=; b=AxKivzRN0mLDbtYoi9Dktyvcc6ZxjMT69O3zcaVyVerdYeUlztEpTw5Pm0uuvffhE/ nyz4XtfxuDAtHxnUGz3a0RkzDXjldi+TKcW3ahbAbyCR5DkUff/qPNl34B3bM6db4iNW CXS5sCnen5zZX6lnEkFUPwIeJtsCQIyoWP9Jesg9lv47lzPUxu6RMQSInbiuzZ0n+RCJ TDvxqqCGF8f/bLgE+hMJKo16wmUlsEONQ6hSX5UNqL/T9Uvb5K+rG60SgwRBBXKQmXRv y7zGtYVl25nafUSRp1dciUIc0fBBMmxL8hrh22aV+8Tg3xx/DjTtHVRde1vnpmMoR2Gf WcZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BhWo5RtDaEwoBQZgzxd2EhoeiiZt8r0Mr2xfUq+5IL0=; b=J54z2J9dBnaNR34+isIHL+ErjCaRzQx3oBcxlCy8ix6DpRvLlNE45ru0CS+FZpoH6+ NAvY129qgwi3bZO+Cv9Qq5HaBvaqmN5cOa5ZGDjm06q9uh8pcu5NUkRRdQhJWs+B88Xq i+oAlnMsO8midvjqefPe7cE/7ngzVeRwZF7tql3Jt4bv59hv69y/s5mOFKvdWrVfiBwy ey7QHY8SnBr8nO9Db2ZeMZpK1Z47iBs+Yl3MDJq6XgnvwZHWSnv/2uwYpvInSRdGgzfL p0GIGxxXUNhBPtADASea4zr81RVcnAMJlWrzh2fgxr6R4W0hsMk+OWb6qBhBjDGJWNyD KJcQ==
X-Gm-Message-State: AOAM531bC/Dw7iFVnLgY6TFEnDCQ+Kc7cAPInYQ4EpI3UHIJMnfUxzMV 8qeNZn/fxLX01lvpNnO2qX+ACVNxaxmeWtQ2MPhtihC0E1Zr9+FiscNlwmzdXzcpVBDzA/VBZ2j WTtjoUISPQ1/Rhg==
X-Google-Smtp-Source: ABdhPJxSrgSuQPAy0UQNV7LHnwc5k6f+eO27KsnruyDwj8ZreM6hxGln8IeDZCbbV7ud2yDouZbudj02yHS2koQWE84=
X-Received: by 2002:a19:f00b:: with SMTP id p11mr11926047lfc.210.1589222650905; Mon, 11 May 2020 11:44:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjr7o2av2cCBegT9kZLuszH26NvLHv6WbKL5SDVvQAhu_A@mail.gmail.com>
In-Reply-To: <CAGBSGjr7o2av2cCBegT9kZLuszH26NvLHv6WbKL5SDVvQAhu_A@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 11 May 2020 12:43:44 -0600
Message-ID: <CA+k3eCQuOAGkUCCZ-xjSJe5j4z_q3VAqpw7aPUy+41mvQmzPYQ@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000093db5105a563bbdd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FCyLxmtxRL8K002jNjY1dcovY_o>
Subject: Re: [OAUTH-WG] Redirect URIs in draft-ietf-oauth-security-topics
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 18:45:06 -0000
I suspect it was an unintentional oversight in the Security BCP and that it should be updated to allow for it. On Mon, May 11, 2020 at 10:03 AM Aaron Parecki <aaron@parecki.com> wrote: > The Security BCP has pretty clear language around requiring exact matching > of redirect URIs now. > > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1 > <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1> > > However the Native Apps BCP has an exception for localhost URIs to allow > variable ports. > > https://tools.ietf.org/html/rfc8252#section-7.3 > > Is the intention of the Security BCP to also prevent that use case? > > If so, it should probably be spelled out explicitly, since there is > currently no mention of this. If not, then that exception should also be > repeated in the Security BCP, since it is currently somewhat ambiguous > whether the exception in the Native Apps BCP is still allowed. > > Aaron Parecki > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Redirect URIs in draft-ietf-oauth-secu… Aaron Parecki
- Re: [OAUTH-WG] Redirect URIs in draft-ietf-oauth-… Brian Campbell
- Re: [OAUTH-WG] Redirect URIs in draft-ietf-oauth-… Daniel Fett