IETF Logo Mail Archive

Re: [OAUTH-WG] redirect uri validation

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 15 August 2011 20:34 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06EB311E8100 for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 13:34:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_102=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWWkAGXhq0zO for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 13:34:43 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.97]) by ietfa.amsl.com (Postfix) with ESMTP id 361E311E80E5 for <oauth@ietf.org>; Mon, 15 Aug 2011 13:34:43 -0700 (PDT)
Received: from [87.142.249.124] (helo=[192.168.71.35]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1Qt3se-0007LJ-0i; Mon, 15 Aug 2011 22:35:28 +0200
Message-ID: <4E498313.3080009@lodderstedt.net>
Date: Mon, 15 Aug 2011 22:35:31 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <fcffd9492cbaced09c93f4e3c37b569f@lodderstedt-online.de> <90C41DD21FB7C64BB94121FBBC2E72345021F37877@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E2DAAEA.7090304@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E7234502498CDD7@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDE@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234502498CDDE@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Df-Sender: torsten@lodderstedt-online.de
Cc: "oauth@ietf.org" <oauth@ietf.org>, "eran@sled.com" <eran@sled.com>
Subject: Re: [OAUTH-WG] redirect uri validation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2011 20:34:44 -0000

Hi Eran,

Am 15.08.2011 08:57, schrieb Eran Hammer-Lahav:
> Added to 1.4.2:
>
>              When issuing an implicit grant, the authorization server does not authenticate the
>              client and [[in some cases]], the client identity [[can]] be verified via the redirection URI
>              used to deliver the access token to the client. The access token may be exposed to the
>              resource owner or other applications with access to the resource owner's user-agent.
>
> Hope this is sufficient.

What do you want to express? Clients can sometimes be verified via 
redirection URI?

My intention was to point out that an invalid redirect URI is a 
counter-evidence for a client's identity but a valid redirect URI is 
_not_ an evidence for its identity.

I would suggest to add the text below to section 10.1., last paragraph 
after the sentence

"For
    example, by requiring the registration of the client redirection URI
    or enlisting the resource owner to confirm identity."

proposed text:

Please note: while an invalid redirection URI indicates a counterfeit 
client, a valid redirection URI is not sufficient to confirm a client's 
identity.

regards,
Torsten.


>
> EHL
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Eran Hammer-Lahav
>> Sent: Sunday, August 14, 2011 11:09 PM
>> To: Torsten Lodderstedt
>> Cc: torsten@lodderstedt-online.de; oauth@ietf.org
>> Subject: Re: [OAUTH-WG] redirect uri validation
>>
>> Where would you suggest I add this?
>>
>> EHL
>>
>>> -----Original Message-----
>>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
>>> Sent: Monday, July 25, 2011 10:42 AM
>>> To: Eran Hammer-Lahav
>>> Cc: torsten@lodderstedt-online.de; oauth@ietf.org
>>> Subject: Re: [OAUTH-WG] redirect uri validation
>>>
>>> Hi Eran,
>>>
>>>>>> OAuth 1.0 was highly criticized for failing to address client
>>>>>> identity in public clients. I believe OAuth 2.0 offers a much
>>>>>> better story, within the boundaries>of what’s possible today.
>>>>> Agreed. I think we must honestly discuss the value of client
>>>>> authentication/identification itself. I personally think it is
>>>>> over-emphazised right now. The strength of OAuth 2.0 is that it
>>>>> allows solutions where neither client nor resource server have
>>>>> access or
>>> do store end-user credentials.
>>>>> Client authentication is nice but not the main feature.
>>>> Do you have any specific suggestions not already mentioned on the list?
>>> I would suggest to mention that while an invalid redirect_uri
>>> indicates a counterfeit clients a valid redirect does not prove the calling
>> client's identity.
>>> regards,
>>> Torsten.
>>>
>>>
>>>> EHL
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email