IETF Logo Mail Archive

Re: [OAUTH-WG] Strict equality matching of redirect_uri

Marius Scurtescu <mscurtescu@google.com> Wed, 12 May 2010 16:53 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC82528C35C for <oauth@core3.amsl.com>; Wed, 12 May 2010 09:53:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.209
X-Spam-Level:
X-Spam-Status: No, score=-100.209 tagged_above=-999 required=5 tests=[AWL=-0.832, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PWwGlKrm7JlM for <oauth@core3.amsl.com>; Wed, 12 May 2010 09:53:48 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 6DA6E28C3FB for <oauth@ietf.org>; Wed, 12 May 2010 09:35:28 -0700 (PDT)
Received: from wpaz5.hot.corp.google.com (wpaz5.hot.corp.google.com [172.24.198.69]) by smtp-out.google.com with ESMTP id o4CGZGT1022290 for <oauth@ietf.org>; Wed, 12 May 2010 09:35:16 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1273682116; bh=R3zski78LrhCKkOoDz4Pznc/wI0=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=dH2lacEjSa6sDqyhd56jd5MDO3AvJOlxL+swgaqNfbXfglop1gkKBBFAxzA7gJ4mJ J7zfGGpY7+Q030BBRhVIA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=ZdG2WhdsKJk94cGNc4/R5axdBXkj1PtHDuy9Q7Kmamgjzqu10b8DiXY7Iv/wRWLtG 9tleLEiUBunUtAC1kcS1Q==
Received: from pvc30 (pvc30.prod.google.com [10.241.209.158]) by wpaz5.hot.corp.google.com with ESMTP id o4CGZEtD030897 for <oauth@ietf.org>; Wed, 12 May 2010 09:35:14 -0700
Received: by pvc30 with SMTP id 30so159657pvc.8 for <oauth@ietf.org>; Wed, 12 May 2010 09:35:14 -0700 (PDT)
Received: by 10.141.188.26 with SMTP id q26mr5209758rvp.150.1273682114137; Wed, 12 May 2010 09:35:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.125.21 with HTTP; Wed, 12 May 2010 09:34:54 -0700 (PDT)
In-Reply-To: <AANLkTilX2YV5NS4jWJSxQJJqAknPzF9vccJt7qCvEQTt@mail.gmail.com>
References: <4BE730CC.1090607@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E24@P3PW5EX1MB01.EX1.SECURESERVER.NET> <918F548B-2501-4630-977E-0A7D4484D067@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E37@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimfTF05EWxOdyJrUU3K3IN7kJ7RdDk3mBXN2f41@mail.gmail.com> <AANLkTilCID4z-NjAJLMQ2GHcWHm-21fWKPzXs-6y4tyZ@mail.gmail.com> <AANLkTil8-AEe0Jjid2aKuI4IADCZ_vamNng5USnMKz8E@mail.gmail.com> <DEBACE14-0DC8-44F9-92EF-AA3F8F522041@facebook.com> <AANLkTilX2YV5NS4jWJSxQJJqAknPzF9vccJt7qCvEQTt@mail.gmail.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 12 May 2010 09:34:54 -0700
Message-ID: <AANLkTilhUgA0Dsc4gHqy1KAxjAe1qVze0hHoiw3Zlyxw@mail.gmail.com>
To: Raffi Krikorian <raffi@twitter.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Strict equality matching of redirect_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2010 16:53:49 -0000

If I understand correctly, Twitter does strict matching (against a
list) and Facebook does prefix matching.

If I am a client and want to integrate with Facebook only, I may take
advantage of the prefix matching and rely on that.

What if at some point in the future I now want to integrate with
Twitter as well? I can't. At least not without rewriting my whole
OAuth 2 infrastructure.

Because of that, if I really want to be able to work with any OAuth 2
authz sever I can only assume strict matching. Do we want to tackle
this problem or let clients figure it out (some of them the hard way)?

Marius


On Tue, May 11, 2010 at 11:39 PM, Raffi Krikorian <raffi@twitter.com> wrote:
> twitter is working on a version where we will actually allow the
> specification of an explicit array of registered URIs, and we do strict
> matching against the elements of that array to see if any match.  we thought
> of allowing just subdomain globbing and wildcards, but that seemed
> problematic for GAE like situations....
>
> On Wed, May 12, 2010 at 7:31 AM, Luke Shepard <lshepard@facebook.com> wrote:
>>
>> FWIW, Facebook does not do strict equality matching on redirect_uri. We
>> accept any redirect_uri that has either:
>>
>> - its prefix is the registered url
>> - or it is a special facebook.com/xd_proxy.php url, with an origin
>> parameter that has a prefix on the registered url
>>
>> I think that the spec should leave the matching up to the server.
>>
>> On May 11, 2010, at 3:13 PM, Marius Scurtescu wrote:
>>
>> > On Tue, May 11, 2010 at 3:04 PM, Evan Gilbert <uidude@google.com> wrote:
>> >>
>> >> On Mon, May 10, 2010 at 1:16 PM, Marius Scurtescu
>> >> <mscurtescu@google.com>
>> >> wrote:
>> >>>
>> >>> On Sun, May 9, 2010 at 10:09 PM, Eran Hammer-Lahav
>> >>> <eran@hueniverse.com>
>> >>> wrote:
>> >>>>
>> >>>>> -----Original Message-----
>> >>>>> From: Dick Hardt [mailto:dick.hardt@gmail.com]
>> >>>>> Sent: Sunday, May 09, 2010 5:52 PM
>> >>>>
>> >>>>>>> 3.5.1.  Client Requests Authorization
>> >>>>>>>
>> >>>>>>> If the client has previously registered a redirection URI with the
>> >>>>>>>    authorization server, the authorization server MUST verify that
>> >>>>>>> the
>> >>>>>>>    redirection URI received matches the registered URI associated
>> >>>>>>> with
>> >>>>>>>    the client identifier.
>> >>>>>>>
>> >>>>>>> Does this mean equality? Or just the same base string?
>> >>>>>>
>> >>>>>> Right now it depends on the server.
>> >>>>>
>> >>>>> The spec should clarify that. Suggested wording:
>> >>>>>
>> >>>>>
>> >>>>> If the client has previously registered a redirection URI with the
>> >>>>> authorization
>> >>>>> server, the authorization server MUST verify that the redirection
>> >>>>> URI
>> >>>>> received matches the registered URI associated with the client
>> >>>>> identifier. The
>> >>>>> components of the redirection URI that must match the registered URI
>> >>>>> is
>> >>>>> authorization server dependant.
>> >>>>
>> >>>> I don't see how that helps... I also don't see why we can't just
>> >>>> profile
>> >>>> this and decide on how the matching should be done. We have the state
>> >>>> parameter to help too.
>> >>>
>> >>> I also think the spec should specify how the matching should be done.
>> >>>
>> >>> If left up to the authz server then a client that designs its OAuth 2
>> >>> implementation will have to assume that all authz servers will do
>> >>> strict equality matching, otherwise it may not be able to interact
>> >>> with some servers.
>> >>>
>> >>> For example, if the client assumes that it can use load balancing by
>> >>> varying the first part of the host name, and this may work with the
>> >>> fist authz server it integrate with, later this client will not be
>> >>> able to interact with an authz server which does strict matching on
>> >>> host name. And changing the load balancing architecture once deployed
>> >>> could be very hard.
>> >>>
>> >>> Since there is a state parameter maybe it is enough to allow wild
>> >>> cards only in the domain name of the callback URI.
>> >>
>> >> I think this we should leave this matching undefined for now - since
>> >> you
>> >> have to preregister with every site, you will have provider-specific
>> >> logic
>> >> anyway. This will be much more important when we have a discovery
>> >> mechanism
>> >> for callback URLs.
>> >
>> > If we leave undefined then that is the same as enforcing strict
>> > equality matching. Then let's make that explicit. Are we OK with that?
>> >
>> > A client that eventually wants to interact with several authz servers
>> > will have to assume the "greatest common divisor", which is strict
>> > matching.
>> >
>> > Marius
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> --
> Raffi Krikorian
> Twitter Platform Team
> http://twitter.com/raffi
>

v2.23.0 | Report a Bug | By Email