IETF Logo Mail Archive

Re: [OAUTH-WG] Comments on draft-ietf-oauth-v2-03.txt

Marius Scurtescu <mscurtescu@google.com> Thu, 13 May 2010 02:06 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A02473A6908 for <oauth@core3.amsl.com>; Wed, 12 May 2010 19:06:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.563
X-Spam-Level:
X-Spam-Status: No, score=-100.563 tagged_above=-999 required=5 tests=[AWL=-0.445, BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70ANed3rgYsY for <oauth@core3.amsl.com>; Wed, 12 May 2010 19:06:42 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 72E2A3A67AF for <oauth@ietf.org>; Wed, 12 May 2010 19:06:42 -0700 (PDT)
Received: from hpaq13.eem.corp.google.com (hpaq13.eem.corp.google.com [172.25.149.13]) by smtp-out.google.com with ESMTP id o4D26Uld025160 for <oauth@ietf.org>; Wed, 12 May 2010 19:06:30 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1273716390; bh=uPHBdfo2KKg1PuQkr4cCuYnu8/A=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=mTnXw0bB3PV5iOzWk/epE93jOqwAE0gHqKhkJ08z9kE7pkqDviiUVHxcglL7oeEas 5ekWRyDNr0IuBiW+0PVHQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=B01/wnipYrjMr/7Sk/P+d8BMYNumXK3+1EERVscEG1PwqO43BBF0vQnVmXT6gR1gh f+Kk1gqXhk5x21/ls2kNQ==
Received: from pzk1 (pzk1.prod.google.com [10.243.19.129]) by hpaq13.eem.corp.google.com with ESMTP id o4D25trC020901 for <oauth@ietf.org>; Wed, 12 May 2010 19:06:29 -0700
Received: by pzk1 with SMTP id 1so390661pzk.8 for <oauth@ietf.org>; Wed, 12 May 2010 19:06:27 -0700 (PDT)
Received: by 10.140.248.20 with SMTP id v20mr5572811rvh.235.1273716387151; Wed, 12 May 2010 19:06:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.125.21 with HTTP; Wed, 12 May 2010 19:06:07 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3AB47130@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4BE730CC.1090607@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E24@P3PW5EX1MB01.EX1.SECURESERVER.NET> <918F548B-2501-4630-977E-0A7D4484D067@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E37@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimfTF05EWxOdyJrUU3K3IN7kJ7RdDk3mBXN2f41@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB47130@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 12 May 2010 19:06:07 -0700
Message-ID: <AANLkTim04vXHSD2fakvXQbLE3p-uCgmAfhaSyKTSBWQF@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Comments on draft-ietf-oauth-v2-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2010 02:06:43 -0000

On Mon, May 10, 2010 at 7:53 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> Propose text.

Tried to write some text, but still not sure what the right solution is.

redirect_uri matching is done in two flows: Web Server and User-Agent.

In Web Server the matching issue can be avoided by always requiring
redirect_uri on the initial request, and require authz servers not to
match against a pre-registered one, and then do strict matching when
the access token is requested.

In User-Agent, matching must be done between pre-registered and the
one sent with the request. Here I would suggest strict matching (which
boils down to no requirement to send redirect_uri if it was
pre-registered). For this flow, does anyone see the need for wild card
domain matching or for path prefix matching?

If we cannot get to an agreement, maybe the spec can at least advise
clients to assume strict matching since this assures the largest
compatibility?

Does it help to propose text if there is no agreement?

Marius

>
> EHL
>
>> -----Original Message-----
>> From: Marius Scurtescu [mailto:mscurtescu@google.com]
>> Sent: Monday, May 10, 2010 1:16 PM
>> To: Eran Hammer-Lahav
>> Cc: Dick Hardt; OAuth WG (oauth@ietf.org)
>> Subject: Re: [OAUTH-WG] Comments on draft-ietf-oauth-v2-03.txt
>>
>> On Sun, May 9, 2010 at 10:09 PM, Eran Hammer-Lahav
>> <eran@hueniverse.com> wrote:
>> >
>> >> -----Original Message-----
>> >> From: Dick Hardt [mailto:dick.hardt@gmail.com]
>> >> Sent: Sunday, May 09, 2010 5:52 PM
>> >
>> >> >> 3.5.1.  Client Requests Authorization
>> >> >>
>> >> >> If the client has previously registered a redirection URI with the
>> >> >>    authorization server, the authorization server MUST verify that
>> >> >> the
>> >> >>    redirection URI received matches the registered URI associated
>> >> >> with
>> >> >>    the client identifier.
>> >> >>
>> >> >> Does this mean equality? Or just the same base string?
>> >> >
>> >> > Right now it depends on the server.
>> >>
>> >> The spec should clarify that. Suggested wording:
>> >>
>> >>
>> >> If the client has previously registered a redirection URI with the
>> >> authorization server, the authorization server MUST verify that the
>> >> redirection URI received matches the registered URI associated with
>> >> the client identifier. The components of the redirection URI that
>> >> must match the registered URI is authorization server dependant.
>> >
>> > I don't see how that helps... I also don't see why we can't just profile this
>> and decide on how the matching should be done. We have the state
>> parameter to help too.
>>
>> I also think the spec should specify how the matching should be done.
>>
>> If left up to the authz server then a client that designs its OAuth 2
>> implementation will have to assume that all authz servers will do strict
>> equality matching, otherwise it may not be able to interact with some
>> servers.
>>
>> For example, if the client assumes that it can use load balancing by varying
>> the first part of the host name, and this may work with the fist authz server it
>> integrate with, later this client will not be able to interact with an authz server
>> which does strict matching on host name. And changing the load balancing
>> architecture once deployed could be very hard.
>>
>> Since there is a state parameter maybe it is enough to allow wild cards only in
>> the domain name of the callback URI.
>>
>> Marius
>

v2.23.0 | Report a Bug | By Email