IETF Logo Mail Archive

Re: [OAUTH-WG] Strict equality matching of redirect_uri

Luke Shepard <lshepard@facebook.com> Wed, 12 May 2010 06:33 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2940F28C17C for <oauth@core3.amsl.com>; Tue, 11 May 2010 23:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.692
X-Spam-Level:
X-Spam-Status: No, score=-1.692 tagged_above=-999 required=5 tests=[AWL=-1.027, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T+a4Gbkg8eSS for <oauth@core3.amsl.com>; Tue, 11 May 2010 23:33:42 -0700 (PDT)
Received: from mailout-snc1.facebook.com (mailout-snc1.facebook.com [69.63.179.25]) by core3.amsl.com (Postfix) with ESMTP id 349A628C103 for <oauth@ietf.org>; Tue, 11 May 2010 23:33:42 -0700 (PDT)
Received: from mail.thefacebook.com ([192.168.18.105]) by pp01.snc1.tfbnw.net (8.14.3/8.14.3) with ESMTP id o4C6X5SQ004299 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 11 May 2010 23:33:06 -0700
Received: from sc-hub06.TheFacebook.com (192.168.18.83) by sc-hub02.TheFacebook.com (192.168.18.105) with Microsoft SMTP Server (TLS) id 8.2.213.0; Tue, 11 May 2010 23:32:00 -0700
Received: from SC-MBXC1.TheFacebook.com ([192.168.18.102]) by sc-hub06.TheFacebook.com ([192.168.18.83]) with mapi; Tue, 11 May 2010 23:32:00 -0700
From: Luke Shepard <lshepard@facebook.com>
To: Marius Scurtescu <mscurtescu@google.com>
Date: Tue, 11 May 2010 23:31:58 -0700
Thread-Topic: [OAUTH-WG] Strict equality matching of redirect_uri
Thread-Index: AcrxnNNJ75xjd+NWSXSaNhzf5qjFDg==
Message-ID: <DEBACE14-0DC8-44F9-92EF-AA3F8F522041@facebook.com>
References: <4BE730CC.1090607@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E24@P3PW5EX1MB01.EX1.SECURESERVER.NET> <918F548B-2501-4630-977E-0A7D4484D067@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E37@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimfTF05EWxOdyJrUU3K3IN7kJ7RdDk3mBXN2f41@mail.gmail.com> <AANLkTilCID4z-NjAJLMQ2GHcWHm-21fWKPzXs-6y4tyZ@mail.gmail.com> <AANLkTil8-AEe0Jjid2aKuI4IADCZ_vamNng5USnMKz8E@mail.gmail.com>
In-Reply-To: <AANLkTil8-AEe0Jjid2aKuI4IADCZ_vamNng5USnMKz8E@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-05-12_01:2010-02-06, 2010-05-12, 2010-05-11 signatures=0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Strict equality matching of redirect_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2010 06:33:43 -0000

FWIW, Facebook does not do strict equality matching on redirect_uri. We accept any redirect_uri that has either:

- its prefix is the registered url
- or it is a special facebook.com/xd_proxy.php url, with an origin parameter that has a prefix on the registered url

I think that the spec should leave the matching up to the server.

On May 11, 2010, at 3:13 PM, Marius Scurtescu wrote:

> On Tue, May 11, 2010 at 3:04 PM, Evan Gilbert <uidude@google.com> wrote:
>> 
>> On Mon, May 10, 2010 at 1:16 PM, Marius Scurtescu <mscurtescu@google.com>
>> wrote:
>>> 
>>> On Sun, May 9, 2010 at 10:09 PM, Eran Hammer-Lahav <eran@hueniverse.com>
>>> wrote:
>>>> 
>>>>> -----Original Message-----
>>>>> From: Dick Hardt [mailto:dick.hardt@gmail.com]
>>>>> Sent: Sunday, May 09, 2010 5:52 PM
>>>> 
>>>>>>> 3.5.1.  Client Requests Authorization
>>>>>>> 
>>>>>>> If the client has previously registered a redirection URI with the
>>>>>>>    authorization server, the authorization server MUST verify that
>>>>>>> the
>>>>>>>    redirection URI received matches the registered URI associated
>>>>>>> with
>>>>>>>    the client identifier.
>>>>>>> 
>>>>>>> Does this mean equality? Or just the same base string?
>>>>>> 
>>>>>> Right now it depends on the server.
>>>>> 
>>>>> The spec should clarify that. Suggested wording:
>>>>> 
>>>>> 
>>>>> If the client has previously registered a redirection URI with the
>>>>> authorization
>>>>> server, the authorization server MUST verify that the redirection URI
>>>>> received matches the registered URI associated with the client
>>>>> identifier. The
>>>>> components of the redirection URI that must match the registered URI is
>>>>> authorization server dependant.
>>>> 
>>>> I don't see how that helps... I also don't see why we can't just profile
>>>> this and decide on how the matching should be done. We have the state
>>>> parameter to help too.
>>> 
>>> I also think the spec should specify how the matching should be done.
>>> 
>>> If left up to the authz server then a client that designs its OAuth 2
>>> implementation will have to assume that all authz servers will do
>>> strict equality matching, otherwise it may not be able to interact
>>> with some servers.
>>> 
>>> For example, if the client assumes that it can use load balancing by
>>> varying the first part of the host name, and this may work with the
>>> fist authz server it integrate with, later this client will not be
>>> able to interact with an authz server which does strict matching on
>>> host name. And changing the load balancing architecture once deployed
>>> could be very hard.
>>> 
>>> Since there is a state parameter maybe it is enough to allow wild
>>> cards only in the domain name of the callback URI.
>> 
>> I think this we should leave this matching undefined for now - since you
>> have to preregister with every site, you will have provider-specific logic
>> anyway. This will be much more important when we have a discovery mechanism
>> for callback URLs.
> 
> If we leave undefined then that is the same as enforcing strict
> equality matching. Then let's make that explicit. Are we OK with that?
> 
> A client that eventually wants to interact with several authz servers
> will have to assume the "greatest common divisor", which is strict
> matching.
> 
> Marius
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email