IETF Logo Mail Archive

Re: [OAUTH-WG] Dealing with oAuth redirect_uri in draft-parecki-oauth-v2-1 and need for AS back channel initiation endpoint

Aaron Parecki <aaron@parecki.com> Wed, 08 April 2020 22:05 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14C013A186D for <oauth@ietfa.amsl.com>; Wed, 8 Apr 2020 15:05:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xpdz2PXu3G96 for <oauth@ietfa.amsl.com>; Wed, 8 Apr 2020 15:05:41 -0700 (PDT)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A9C03A186F for <oauth@ietf.org>; Wed, 8 Apr 2020 15:05:41 -0700 (PDT)
Received: by mail-il1-x12a.google.com with SMTP id t6so8322094ilj.8 for <oauth@ietf.org>; Wed, 08 Apr 2020 15:05:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=w3umazo2NnI8fMChTMONV6eHudP/TZFvckGVwpADDlA=; b=JUoSBMfHjr8lD2/67BCWpm22ZQkIbd3x4f5LvRFFkXWGHMOU8o9ZpdgltOLzvfNTKh VBXNnIgnDO2I0Sgk35DP+Mz3lB2YCqMQ2Njql6aR+y5r9u+3z81zxXOcIi1YYqOiQfIV hGAF7VtiRrnmonZ1fWMnunX9H8uAPga2hmkgBMRxr0NDRrG3vJkLA5UjM3jZ9a4e2SoT nK/Uw90OU8+NlaT9p901fnVXwF03R6cH49DwjUfBkamdYFL2IT+nJCCsspowW4GE53h8 hG3le6VwOxlTGFKeN1Lm0eybtriq7LzZKJ92EKiWIf4eyQe8mCsR3sBe9NN9xLf9/q8k BQ+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=w3umazo2NnI8fMChTMONV6eHudP/TZFvckGVwpADDlA=; b=RV/1u2FCGDfcGLMzKjZg1FdQnNMia0A40TRjK5/2krGpuM8WEaCQllpq+tLTlwB50C 3ziCfUgY5zv8Az3vScqMdUNSuxG4+3WtK7HtRxlTHj1T9uHmZ1cKaoGWOeCzPugXmWlJ fyi54mef3LkfLwptT3+LbTAb8ZtcxnrIWdNKjfQuZlclZVce88G2sOGNfzLla1DHq5qd UzcLLs6BFk0qkolzcmjAqYPlyVvWrnSMvCDz9GwpnC4JpVV1aKO8HuiGYQwzgewLmWZX 7Tw+TMfpX2ukrzmAUetUB0MR5oakU9X0EDJi3OewDxCVs9N+4O0umkbBA4IFz6ccec1Y Ro7w==
X-Gm-Message-State: AGi0PuapUvSpxUAOsnBB3Z6MqpgnbgftSTqUDV2iVoImqe+GY4P0ubZ9 tq+cQsyW6ZEluuk9As/qPaEV6B10G20=
X-Google-Smtp-Source: APiQypLF/4b5HTaH+Is7oVNzhMjMfB2fOSieAzyCXluhcAdspRBY5vNmGlCujDBiPeHbdcTAdsEy0g==
X-Received: by 2002:a92:c6cb:: with SMTP id v11mr10167359ilm.41.1586383540272; Wed, 08 Apr 2020 15:05:40 -0700 (PDT)
Received: from mail-il1-f170.google.com (mail-il1-f170.google.com. [209.85.166.170]) by smtp.gmail.com with ESMTPSA id q1sm492926iop.15.2020.04.08.15.05.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Apr 2020 15:05:39 -0700 (PDT)
Received: by mail-il1-f170.google.com with SMTP id i75so8277799ild.13; Wed, 08 Apr 2020 15:05:39 -0700 (PDT)
X-Received: by 2002:a92:d083:: with SMTP id h3mr10244387ilh.28.1586383539212; Wed, 08 Apr 2020 15:05:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAOW4vyNZXnLXpkpO+oczFpZ_kRZvz8mCQKQ7FqrY+QUxE+n+ow@mail.gmail.com>
In-Reply-To: <CAOW4vyNZXnLXpkpO+oczFpZ_kRZvz8mCQKQ7FqrY+QUxE+n+ow@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Wed, 08 Apr 2020 15:05:27 -0700
X-Gmail-Original-Message-ID: <CAGBSGjp=mewpJmRwxUPz8Li=_CLub9m0UnY6S0HVue00dsLvyg@mail.gmail.com>
Message-ID: <CAGBSGjp=mewpJmRwxUPz8Li=_CLub9m0UnY6S0HVue00dsLvyg@mail.gmail.com>
To: Francis Pouatcha <fpo@adorsys.de>
Cc: OAuth WG <oauth@ietf.org>, draft-parecki-oauth-v2-1@ietf.org
Content-Type: multipart/alternative; boundary="00000000000055165305a2ceb323"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dTXtqoKuxwCHMyT3ttqSP5tyAZo>
Subject: Re: [OAUTH-WG] Dealing with oAuth redirect_uri in draft-parecki-oauth-v2-1 and need for AS back channel initiation endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2020 22:05:43 -0000

Hi Francis,

As much as I would love to require that all authorization requests are
initiated via a back channel, that is unfortunately not something that is
in scope of the current OAuth 2.1 document.

The OAuth 2.0 Security BCP and this document require strict redirect URI
matching, which should help simplify the AS, since simple string matching
is sufficient now.

----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>



On Wed, Apr 8, 2020 at 3:01 PM Francis Pouatcha <fpo@adorsys.de> wrote:

> There is a lot of effort associated with the handling and correct
> validation of a redirect_uri sent to the AS as part of the front channel
> authorization request, as this gets transported by user agents.
>
> The draft-parecki-oauth-v2-1 as a replacement of RFC 6749 must make sure
> redirect_uri is only sent to the AS through the back channel. This of
> course requires the implementation of a new "authorization request
> initiation endpoint". The draft-ietf-oauth-par-01 provides a guidance on
> how to design this initiation endpoint.
>
> --
> Francis Pouatcha
> Co-Founder and Technical Lead at adorys
> https://adorsys-platform.de/solutions/
>

v2.23.0 | Report a Bug | By Email