IETF Logo Mail Archive

Re: [OAUTH-WG] Issue: state in web server flow

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 19 April 2010 05:29 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 517C13A6AB8 for <oauth@core3.amsl.com>; Sun, 18 Apr 2010 22:29:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.473
X-Spam-Level:
X-Spam-Status: No, score=-2.473 tagged_above=-999 required=5 tests=[AWL=0.126, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lvcddKU36+LI for <oauth@core3.amsl.com>; Sun, 18 Apr 2010 22:29:21 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 5FF6A3A6A86 for <oauth@ietf.org>; Sun, 18 Apr 2010 22:28:50 -0700 (PDT)
Received: (qmail 31020 invoked from network); 19 Apr 2010 05:28:42 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 19 Apr 2010 05:28:42 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Sun, 18 Apr 2010 22:28:42 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Dick Hardt <dick.hardt@gmail.com>, OAuth WG <oauth@ietf.org>
Date: Sun, 18 Apr 2010 22:28:43 -0700
Thread-Topic: [OAUTH-WG] Issue: state in web server flow
Thread-Index: Acrfd6Jilk6p7SELSkaZEaZ0b88l0gACKyYA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723438E30A379E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <1E39CE38-763E-4E3D-96D4-DC757BD53B9D@gmail.com>
In-Reply-To: <1E39CE38-763E-4E3D-96D4-DC757BD53B9D@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Issue: state in web server flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 05:29:23 -0000

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Dick Hardt
> Sent: Sunday, April 18, 2010 9:20 PM
> To: OAuth WG
> Subject: [OAUTH-WG] Issue: state in web server flow
> 
> Why was the state parameter removed from the web server flow?

I didn't want to both define a state parameter *and* allow for any other client-specific parameters in redirection URIs. Because people made the point that *any* client-specific parameters are required, I proposed to drop the state parameter. After all, servers MUST send back whatever URI they receive regardless of it being encoded into a state parameter.
 
> Some AS may require the entire redirect URI to be registered, so the state
> parameter allows a client to maintain state across calls.

I agree that this is useful, but it only makes the spec better if we make its use more restrictive. Defining it makes it easier for servers to validate the redirection URI, but only if the client is not allowed using other client-specific query parameters with it.

If people feel strongly about putting it back, I suggest we only allow it with callbacks without any query component as that is the only combination it adds value.

EHL

> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email