Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter

Bob Van Zant <bob@veznat.com> Sun, 17 July 2011 19:07 UTC

Return-Path: <bigbadbob0@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CBAD21F86DC for <oauth@ietfa.amsl.com>; Sun, 17 Jul 2011 12:07:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.836
X-Spam-Level:
X-Spam-Status: No, score=-2.836 tagged_above=-999 required=5 tests=[AWL=0.141, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CJ3Ol3UnxIDO for <oauth@ietfa.amsl.com>; Sun, 17 Jul 2011 12:07:19 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id B9AB821F86D4 for <oauth@ietf.org>; Sun, 17 Jul 2011 12:07:19 -0700 (PDT)
Received: by qyk9 with SMTP id 9so1566295qyk.10 for <oauth@ietf.org>; Sun, 17 Jul 2011 12:07:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=WKEVgx8OS3+Ed888D4tVxjVR3PEj+MyXeApaRzYD/wo=; b=AhR+ixiAB7T193LbJcciabtPb9s3M6cQsx/DQzQMLPcv7X9D6P2TqyLsTLGjTyrpxJ d/L1JGLI1ejqe0EJUl1zDJSM3VyoysoGxU96wLLe4GmUKdK/xf6h3qUoJGk9kwoC4Ynh 0eOl4nzhv3CkXz6akg6qtE9EZ7xAPsI6v38V0=
MIME-Version: 1.0
Received: by 10.229.226.68 with SMTP id iv4mr4367572qcb.79.1310929639051; Sun, 17 Jul 2011 12:07:19 -0700 (PDT)
Sender: bigbadbob0@gmail.com
Received: by 10.229.100.136 with HTTP; Sun, 17 Jul 2011 12:07:19 -0700 (PDT)
In-Reply-To: <4E22B021.7080009@cisco.com>
References: <CADrOfLJSd8Z=QfCcGUdFBU314rmjv9-u25Vta+ObXfNAwoA06w@mail.gmail.com> <4E22B021.7080009@cisco.com>
Date: Sun, 17 Jul 2011 12:07:19 -0700
X-Google-Sender-Auth: z3jg5sixEMjl9iascXFK5C-Pi2g
Message-ID: <CADrOfLLO6e9f-8EvdNjZZ5LAzrSfORtpiYhR3-KJQe=Rr4Lpzg@mail.gmail.com>
From: Bob Van Zant <bob@veznat.com>
To: Eliot Lear <lear@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth v2-18 comment on "state" parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jul 2011 19:07:20 -0000

On Sun, Jul 17, 2011 at 2:49 AM, Eliot Lear <lear@cisco.com> wrote:
> Bob,
>
> Just on this one point:
>
> On 7/15/11 5:35 PM, Bob Van Zant wrote:
>> The spec says that the value is opaque and that
>> I need to accept, store, and reply with exactly what the client sent
>> me.
>
> Where does it actually require you to "store" the "state" contents
> beyond the point where you issue your reply?

Beyond the reply, you're right. I exaggerate a little. I sort of wish
application developers would figure out their own way to manage state.
Or, like I've asked for here, at least give me something in the spec
that allows me to impose limits.

>
> One other point: if the redirection_uri can have fragments and can be
> provided, why is state necessary?

Just to be clear, section 3.1.2 says that the redirect URI:

   MAY include a query component which MUST be retained by
   the authorization server when adding additional query parameters, and
   MUST NOT include a fragment component.

So the app developer could stick anything they want in the querystring
and as the authorization server we have to hang on to that in addition
to the state variable.

-Bob