IETF Logo Mail Archive

Re: [OAUTH-WG] Strict equality matching of redirect_uri

Evan Gilbert <uidude@google.com> Tue, 18 May 2010 16:26 UTC

Return-Path: <uidude@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9508F3A6C9C for <oauth@core3.amsl.com>; Tue, 18 May 2010 09:26:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.311
X-Spam-Level:
X-Spam-Status: No, score=-100.311 tagged_above=-999 required=5 tests=[AWL=-0.935, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26S++xkyNrMS for <oauth@core3.amsl.com>; Tue, 18 May 2010 09:26:04 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 7B34A28C117 for <oauth@ietf.org>; Tue, 18 May 2010 09:18:18 -0700 (PDT)
Received: from wpaz1.hot.corp.google.com (wpaz1.hot.corp.google.com [172.24.198.65]) by smtp-out.google.com with ESMTP id o4IGI64S013889 for <oauth@ietf.org>; Tue, 18 May 2010 09:18:06 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1274199487; bh=ztlol6l/YurzWltu87ZRv6QCt9c=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=uD5rIhMRsutEfcMglupAq/lAsTrjiLi8La/aIM8pKyjMP6aI0K1BoB2VzILaFjPQr sYrV+U05aBMAOf/Kk2ucg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=DnmfAOGsWK/JxSITLJKh9kPsRfgvWvbeHU0Rbam/mepbbMKif6JQE949e4ifHrZft iUO76k02VCmu+Ut5gcL4g==
Received: from vws8 (vws8.prod.google.com [10.241.21.136]) by wpaz1.hot.corp.google.com with ESMTP id o4IGHxNE022567 for <oauth@ietf.org>; Tue, 18 May 2010 09:18:05 -0700
Received: by vws8 with SMTP id 8so2352432vws.36 for <oauth@ietf.org>; Tue, 18 May 2010 09:18:05 -0700 (PDT)
Received: by 10.229.221.72 with SMTP id ib8mr1536851qcb.0.1274199485212; Tue, 18 May 2010 09:18:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.78.215 with HTTP; Tue, 18 May 2010 09:11:19 -0700 (PDT)
In-Reply-To: <AANLkTikZGYRUe84a5fb-QoXSdJL-hmCzFO3vUP_6Zc7r@mail.gmail.com>
References: <4BE730CC.1090607@lodderstedt.net> <918F548B-2501-4630-977E-0A7D4484D067@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E37@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimfTF05EWxOdyJrUU3K3IN7kJ7RdDk3mBXN2f41@mail.gmail.com> <AANLkTilCID4z-NjAJLMQ2GHcWHm-21fWKPzXs-6y4tyZ@mail.gmail.com> <AANLkTil8-AEe0Jjid2aKuI4IADCZ_vamNng5USnMKz8E@mail.gmail.com> <DEBACE14-0DC8-44F9-92EF-AA3F8F522041@facebook.com> <AANLkTinYP_Ee9-Znge9G5lgCnq-dmVG_8y0MZvOJDJcf@mail.gmail.com> <AANLkTikdi_ajhCxdJ5DGHtarnUm4icNTODKEQgcP3rqN@mail.gmail.com> <AANLkTikZGYRUe84a5fb-QoXSdJL-hmCzFO3vUP_6Zc7r@mail.gmail.com>
From: Evan Gilbert <uidude@google.com>
Date: Tue, 18 May 2010 09:11:19 -0700
Message-ID: <AANLkTimSYSoeWKAgN-YJjf-E7s26uoTmGsX2QVPcm4q8@mail.gmail.com>
To: Marius Scurtescu <mscurtescu@google.com>
Content-Type: multipart/alternative; boundary="001636310003b06a240486e0af18"
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Strict equality matching of redirect_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2010 16:26:05 -0000

On Mon, May 17, 2010 at 8:53 AM, Marius Scurtescu <mscurtescu@google.com>wrote:

> On Mon, May 17, 2010 at 8:29 AM, Evan Gilbert <uidude@google.com> wrote:
> > I'd like to get a standard for redirect URI matching, but think this may
> not
> > be feasible - we are leaving the callback URI registration mechanism
> > undefined and I've heard a number of different mechanisms that companies
> > want to support.
> > I think we should leave the matching undefined, possibly with a SHOULD
> for
> > the most common matching mechanism (URL prefix?)
> >
> > I'm not hugely worried about incompatibilities between different AS on
> this
> > front:
> > 1. Clients will push us strongly towards compatible implementations.
> > 2. Clients can always set up a redirector if needed for a specific AS (as
> an
> > aside - we need a document detailing how to build a redirector properly
> > without becoming an open redirector).
>
> Isn't this saying that clients can always implement strict matching
> and live with that? Why not require it then?
>

No, don't think so.

Clients will use redirect behavior that works with their current provider,
and deal with strict matching when/if it comes up.

I'm pretty sure that norms will evolve, but also pretty sure that we won't
agree right now.


>
> Marius
>

v2.23.0 | Report a Bug | By Email