Re: [OAUTH-WG] Clarification: authorization server matching of redirect URI
Dick Hardt <dick.hardt@gmail.com> Mon, 19 April 2010 05:36 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B1543A6AA8 for <oauth@core3.amsl.com>; Sun, 18 Apr 2010 22:36:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.396
X-Spam-Level:
X-Spam-Status: No, score=-2.396 tagged_above=-999 required=5 tests=[AWL=0.203, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YuF5gN483w0u for <oauth@core3.amsl.com>; Sun, 18 Apr 2010 22:36:06 -0700 (PDT)
Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.210.182]) by core3.amsl.com (Postfix) with ESMTP id 78E633A6ABC for <oauth@ietf.org>; Sun, 18 Apr 2010 22:36:04 -0700 (PDT)
Received: by yxe12 with SMTP id 12so2592034yxe.32 for <oauth@ietf.org>; Sun, 18 Apr 2010 22:35:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=TmnMB+VxO1uY8I5QQWRwfvFVd3xXeCIerKK+oyUgG1w=; b=cZi8J9WS+L2t7v3s5oi1jXZ+C9KmYD2P8hVmC9rFapnMSAu0af596ZxFgih2dyGC+X mDpAEUuD8uKV+DcoPLfDVYOLNUIBFeJJl3DRwGWJen3hAWC20Pe/pRNnXMEFMhW4tVmk chVdL+WiYxaGcIcwIoz9txFElunHCqZofqiOg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=avV2pexmLMon7Ww7GRoD9DDhjMdsYT8XH8zft3WyN8dXfwENPg4ciNcoIxUz0Hj4WD yYY304FZjLqWbIH8wf08S4jiDKAB35IcVDRnSzNwY3W9sYI6zFBl45rA4KUn+CmweVLT uZh9eNKuZSeGbeMibXLm4sRiySyqrs6953uYk=
Received: by 10.100.97.15 with SMTP id u15mr3943030anb.6.1271655351738; Sun, 18 Apr 2010 22:35:51 -0700 (PDT)
Received: from [10.0.1.4] (c-67-180-195-167.hsd1.ca.comcast.net [67.180.195.167]) by mx.google.com with ESMTPS id y2sm42115592ani.14.2010.04.18.22.35.49 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 18 Apr 2010 22:35:50 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723438E30A379C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Sun, 18 Apr 2010 22:35:47 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <65D588CD-A374-4F6B-8749-199C5DF83300@gmail.com>
References: <2997F829-4755-44A8-ADD5-643BCE25AA61@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1078)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Clarification: authorization server matching of redirect URI
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 05:36:07 -0000
The spec should describe how the redirect URI is verified to what is registered. I can enumerate the options for discussion adding in the state parameter as an option. On 2010-04-18, at 10:16 PM, Eran Hammer-Lahav wrote: > This is where limiting variations to a client state parameter helps, but consensus was that we cannot limit clients not to use local query parameters outside the state. > > The problem with giving specific guidance is that it can open security holes. For example, not checking the value of a query parameter can turn the callback into an open redirector. On the other hand, limiting the sub-domain can make scalability harder. > > Care to propose text? > > EHL > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Dick Hardt >> Sent: Sunday, April 18, 2010 9:22 PM >> To: OAuth WG >> Subject: [OAUTH-WG] Clarification: authorization server matching of redirect >> URI >> >> Some AS will match part of the URI to what was registered, some require >> everything up to the start of a query. The spec needs to clarify how much of >> the URI needs to be matched, or state it is AS specified. >> >> -- Dick >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Clarification: authorization server ma… Dick Hardt
- Re: [OAUTH-WG] Clarification: authorization serve… Eran Hammer-Lahav
- Re: [OAUTH-WG] Clarification: authorization serve… Dick Hardt
- Re: [OAUTH-WG] Clarification: authorization serve… Brian Eaton
- Re: [OAUTH-WG] Clarification: authorization serve… Eran Hammer-Lahav
- Re: [OAUTH-WG] Clarification: authorization serve… Brian Eaton
- Re: [OAUTH-WG] Clarification: authorization serve… Marius Scurtescu
- Re: [OAUTH-WG] Clarification: authorization serve… Eran Hammer-Lahav