IETF Logo Mail Archive

Re: [OAUTH-WG] Strict equality matching of redirect_uri

Evan Gilbert <uidude@google.com> Mon, 17 May 2010 15:33 UTC

Return-Path: <uidude@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2BE553A6D2F for <oauth@core3.amsl.com>; Mon, 17 May 2010 08:33:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.431
X-Spam-Level:
X-Spam-Status: No, score=-100.431 tagged_above=-999 required=5 tests=[AWL=-0.869, BAYES_40=-0.185, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eospM79Mhazb for <oauth@core3.amsl.com>; Mon, 17 May 2010 08:33:37 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 4C55428C184 for <oauth@ietf.org>; Mon, 17 May 2010 08:29:58 -0700 (PDT)
Received: from wpaz21.hot.corp.google.com (wpaz21.hot.corp.google.com [172.24.198.85]) by smtp-out.google.com with ESMTP id o4HFTjYW031381 for <oauth@ietf.org>; Mon, 17 May 2010 08:29:45 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1274110186; bh=iga5GOoA5Il6GTFBRa93LwNbJD0=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=h/tMYVwnBPu8dSgNKPFrQMt1AxccN6UCN8a11twBQg4ZKaIll+0hMgdcrFOlv42eT mzGiliCWbVs1RFJbPlCVg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=pqR94XgRhYyNUKGz1dnni5Bka2at2JVBm/ZO/FgP4OBb6ITXaDsSgjRYo8PJ+pG6L RRB3R1zMa3gCy/Ku3G97g==
Received: from qyk12 (qyk12.prod.google.com [10.241.83.140]) by wpaz21.hot.corp.google.com with ESMTP id o4HFTi6e011199 for <oauth@ietf.org>; Mon, 17 May 2010 08:29:44 -0700
Received: by qyk12 with SMTP id 12so563459qyk.15 for <oauth@ietf.org>; Mon, 17 May 2010 08:29:44 -0700 (PDT)
Received: by 10.224.26.154 with SMTP id e26mr2892924qac.247.1274110180729; Mon, 17 May 2010 08:29:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.78.215 with HTTP; Mon, 17 May 2010 08:29:20 -0700 (PDT)
In-Reply-To: <AANLkTinYP_Ee9-Znge9G5lgCnq-dmVG_8y0MZvOJDJcf@mail.gmail.com>
References: <4BE730CC.1090607@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E24@P3PW5EX1MB01.EX1.SECURESERVER.NET> <918F548B-2501-4630-977E-0A7D4484D067@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E37@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimfTF05EWxOdyJrUU3K3IN7kJ7RdDk3mBXN2f41@mail.gmail.com> <AANLkTilCID4z-NjAJLMQ2GHcWHm-21fWKPzXs-6y4tyZ@mail.gmail.com> <AANLkTil8-AEe0Jjid2aKuI4IADCZ_vamNng5USnMKz8E@mail.gmail.com> <DEBACE14-0DC8-44F9-92EF-AA3F8F522041@facebook.com> <AANLkTinYP_Ee9-Znge9G5lgCnq-dmVG_8y0MZvOJDJcf@mail.gmail.com>
From: Evan Gilbert <uidude@google.com>
Date: Mon, 17 May 2010 08:29:20 -0700
Message-ID: <AANLkTikdi_ajhCxdJ5DGHtarnUm4icNTODKEQgcP3rqN@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="00c09f899686ba9e890486cbe488"
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Strict equality matching of redirect_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2010 15:33:38 -0000

I'd like to get a standard for redirect URI matching, but think this may not
be feasible - we are leaving the callback URI registration mechanism
undefined and I've heard a number of different mechanisms that companies
want to support.

I think we should leave the matching undefined, possibly with a SHOULD for
the most common matching mechanism (URL prefix?)

I'm not hugely worried about incompatibilities between different AS on this
front:
1. Clients will push us strongly towards compatible implementations.
2. Clients can always set up a redirector if needed for a specific AS (as an
aside - we need a document detailing how to build a redirector properly
without becoming an open redirector).


On Sun, May 16, 2010 at 11:20 AM, Dick Hardt <dick.hardt@gmail.com> wrote:

>
>
> On Tue, May 11, 2010 at 11:31 PM, Luke Shepard <lshepard@facebook.com>wrote:
>
>> FWIW, Facebook does not do strict equality matching on redirect_uri. We
>> accept any redirect_uri that has either:
>>
>> - its prefix is the registered url
>> - or it is a special facebook.com/xd_proxy.php url, with an origin
>> parameter that has a prefix on the registered url
>>
>> I think that the spec should leave the matching up to the server.
>
>
> If the matching is left to an arbitrary, server defined algorithm, we lose
> interop since a client implementation may make assumptions on what may be
> allowed in the redirect_uri at one AS and then not be able to work with
> another AS that is more restrictive.
>
> As this is a security feature, I'd like to hear the options from the
> security oriented participants with experience here.
>
> Allen / Brian?
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email