Re: [OAUTH-WG] Implicit flow, scopes, and url length limit

Sergey Beryozkin <sberyozkin@gmail.com> Mon, 29 April 2013 11:36 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09DCC21F8640 for <oauth@ietfa.amsl.com>; Mon, 29 Apr 2013 04:36:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rwDhdh6Q79Id for <oauth@ietfa.amsl.com>; Mon, 29 Apr 2013 04:36:36 -0700 (PDT)
Received: from mail-ea0-x235.google.com (mail-ea0-x235.google.com [IPv6:2a00:1450:4013:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id CC20121F979B for <oauth@ietf.org>; Mon, 29 Apr 2013 04:36:34 -0700 (PDT)
Received: by mail-ea0-f181.google.com with SMTP id a11so2475730eae.26 for <oauth@ietf.org>; Mon, 29 Apr 2013 04:36:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=qdozAUrdIuDG24v9KOeqcp6Xuz79bFgScNcsrW28nlI=; b=iHCLiKeeGIT4usXMaUZSUNiNqEVZp5f3zvuE1RX6lTB1XfoWp2plQKHpi48DnGsDck lNG+bKDXy6NT5CO1aSUCEClF8butl7IR6xxp5blC4cRRHJmmFLmmWhQPBnS5eFDeUMKM jhPq4uYC8i3DrxEiVDwvXHqGc0pzYt9qP3PwXrnqcUN51Ew/Z5qZjkHu9FtPoHRbv2vM wxKy4UICLPnjwbg0sOofVF7YsPoAJBaUioC+U7tTW+lrKsIPJ2Zr8vf2pRsrQRb7KmxO VO4Ersqjl8mF+mtSsccy1EtlDNJBy2UlDkToIlPhPJBuZLoNF6tQMg7VwvSOW1sckROr VqNg==
X-Received: by 10.15.36.135 with SMTP id i7mr90519179eev.34.1367235387796; Mon, 29 Apr 2013 04:36:27 -0700 (PDT)
Received: from [10.36.226.5] ([217.173.99.61]) by mx.google.com with ESMTPSA id cd3sm32308483eeb.6.2013.04.29.04.36.26 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 29 Apr 2013 04:36:26 -0700 (PDT)
Message-ID: <517E5B15.1010106@gmail.com>
Date: Mon, 29 Apr 2013 12:35:49 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: oauth@ietf.org
References: <CA+iS77CZ-A9ZDed_UAWH00X+QjY2DxfxSb6g+BeAWSL6iF++BA@mail.gmail.com> <CABzCy2DG5LAMmT3N4eSCd0Px0nHXBVFVt5ievyX-Jhiok+PTzw@mail.gmail.com>
In-Reply-To: <CABzCy2DG5LAMmT3N4eSCd0Px0nHXBVFVt5ievyX-Jhiok+PTzw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [OAUTH-WG] Implicit flow, scopes, and url length limit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2013 11:36:37 -0000

On 29/04/13 10:19, Nat Sakimura wrote:
> Essentially, that is what OpenID Connect does with request_uri or
> request object.
>
> In OpenID Connect, a client can register the request parameters to the
> server before hand and get the reference to it called request_uri. Then,
> it can be passed to the authorization server by an extensiion parameter
> called request_uri. In this case, scope includes only "openid"
> effectively saying "look at the registered request file for the details".
>
Should it be done in the next OAuth2 revision spec ? Seems like it's an 
OAuth2-level feature, except that a scope name would be more neutral, 
"client_registration" or similar...

Cheers, Sergey

> Best,
>
> Nat
>
>
> 2013/4/28 Bojan Živanović <bojanz@gmail.com <mailto:bojanz@gmail.com>>
>
>     Hi everyone,
>     I've written an oauth2 server for Drupal
>     (http://drupal.org/project/oauth2_server) based on the
>     https://github.com/bshaffer/oauth2-server-php PHP library.
>     My company is preparing a fairly large OAuth 2.0 deployment based on
>     that code.
>
>     On the library level we recently discussed the problem of scopes in
>     the redirect urls during implicit flow.
>
>     The URL limit is 2083 characters (imposed by Internet Explorer).
>     During the implicit flow, scope is passed in the URL.
>     If the server uses long scope names, and the client gets granted
>     several of those, it is possible to breach that limit (especially
>     since the domain name and the rest of the redirect url path is also
>     a part of that 2083 limit).
>     Has this problem been discussed previously, and what were the
>     conclusions?
>
>     My idea was to introduce a setting that would cause scope to not be
>     passed through the redirect_url in this case, so that it is later
>     fetched through a separate resource (we have a "tokens" resource
>     just like GitHub, Facebook and Google do, for getting all
>     information about the passed token. Calling this resource from the
>     server side after an implicit flow allows us to avoid the
>     http://homakov.blogspot.com/2012/08/oauth2-one-accesstoken-to-rule-them-all.html
>     attack).
>
>     Thoughts?
>
>     Thanks,
>     Bojan
>
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth