[OAUTH-WG] Redirect URIs in draft-ietf-oauth-security-topics
Aaron Parecki <aaron@parecki.com> Mon, 11 May 2020 16:03 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33FBA3A08E2 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 09:03:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ixxthKy4sbh1 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 09:02:59 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BB603A0B00 for <oauth@ietf.org>; Mon, 11 May 2020 09:02:41 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id w6so9070297ilg.1 for <oauth@ietf.org>; Mon, 11 May 2020 09:02:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=hO0PkDlaMihQE0+OwGVslWSrgNMx6mKcZW4wy7YoYJM=; b=zK8pWZp7uX786rnj1kD0IVwQpFuQPjbE6LJblZdcvEmTaHc2tcyKaV5kJI8L+u3d6G MUFjdzqF6A0jq07ec3j6PeLf5ZKrX4pNOdpFjVUwawRM6QhXCHuqBwzXQ5NeQwKxJUAE 8EaqcDWncuZY4cvtrRJF7xow+yLBMzw3OML/USRcoqzR15ja0cdDt2fFZEWbjxr/gq8O trACCtLRx6yfhhziLyNJbfltjRF/IisB2gzGGoP2Yv8/005118GnbmoFqM66h/90GrHI wyUIUuLEs/oZ/MWW57wNPwXS/FtxE/1hzkFv41C0Ae9hyQTgwtSwzlTxF9JQZ2UjfhCH lWgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=hO0PkDlaMihQE0+OwGVslWSrgNMx6mKcZW4wy7YoYJM=; b=ZVsgtEHmJy+MBiGQNp8ZsJHLKDKnz9h0Kj1lRJudqfyRPoTgjq30kFpfT2NRKUUZrH zP0UhMgT0eadBBnwC12bPtvQOyyRz5P9QiEy/JO9o5J3Qm5eltOfKKkPwqGcPmqqLUxV MNGLzThClk78rgWDQW2+dDhYE9sxhsyc6Gb4x3j7/1XuGaAhtAKWRBBOfgn7J1NhQb0N SK6cfrGFYzrLnRZiA6XmXfUTjVCk3cz/o5Q0YtRa63sFFOS1MS9ZNctQDQfEVlspD88l 9UJctxQUny2bUrAia9ofu65oZ01yo63bKvCdjlH0kgJOV9yuAEyVToHqA/cwRrC22iQr K0Fg==
X-Gm-Message-State: AGi0PuYiAWWGgbW/kryp5jW/zHhrVybnVyRVYeDtY4pNziuajfN+RUI7 vMF48aNBygMJHo92lFiRmSCZQqSzrRo=
X-Google-Smtp-Source: APiQypIzYpWHj3XrBlLAqsPIuEd54qozyd3ti+cx8hob1x3nuGJVk91f/LrBbee1mle9zgUNhUD0lg==
X-Received: by 2002:a92:d98a:: with SMTP id r10mr6172364iln.127.1589212959932; Mon, 11 May 2020 09:02:39 -0700 (PDT)
Received: from mail-io1-f41.google.com (mail-io1-f41.google.com. [209.85.166.41]) by smtp.gmail.com with ESMTPSA id m5sm5259310ilg.15.2020.05.11.09.02.38 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 11 May 2020 09:02:38 -0700 (PDT)
Received: by mail-io1-f41.google.com with SMTP id w11so10313466iov.8 for <oauth@ietf.org>; Mon, 11 May 2020 09:02:38 -0700 (PDT)
X-Received: by 2002:a02:c998:: with SMTP id b24mr15938294jap.23.1589212957793; Mon, 11 May 2020 09:02:37 -0700 (PDT)
MIME-Version: 1.0
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 11 May 2020 09:02:26 -0700
X-Gmail-Original-Message-ID: <CAGBSGjr7o2av2cCBegT9kZLuszH26NvLHv6WbKL5SDVvQAhu_A@mail.gmail.com>
Message-ID: <CAGBSGjr7o2av2cCBegT9kZLuszH26NvLHv6WbKL5SDVvQAhu_A@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d27c2c05a561792b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cwJuRoDNf8XIFngoam-7IqwpHHc>
Subject: [OAUTH-WG] Redirect URIs in draft-ietf-oauth-security-topics
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 16:03:03 -0000
The Security BCP has pretty clear language around requiring exact matching of redirect URIs now. https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1 However the Native Apps BCP has an exception for localhost URIs to allow variable ports. https://tools.ietf.org/html/rfc8252#section-7.3 Is the intention of the Security BCP to also prevent that use case? If so, it should probably be spelled out explicitly, since there is currently no mention of this. If not, then that exception should also be repeated in the Security BCP, since it is currently somewhat ambiguous whether the exception in the Native Apps BCP is still allowed. Aaron Parecki
- [OAUTH-WG] Redirect URIs in draft-ietf-oauth-secu… Aaron Parecki
- Re: [OAUTH-WG] Redirect URIs in draft-ietf-oauth-… Brian Campbell
- Re: [OAUTH-WG] Redirect URIs in draft-ietf-oauth-… Daniel Fett