Re: [OAUTH-WG] Implicit flow, scopes, and url length limit
Sergey Beryozkin <sberyozkin@gmail.com> Mon, 29 April 2013 11:36 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09DCC21F8640 for <oauth@ietfa.amsl.com>; Mon, 29 Apr 2013 04:36:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rwDhdh6Q79Id for <oauth@ietfa.amsl.com>; Mon, 29 Apr 2013 04:36:36 -0700 (PDT)
Received: from mail-ea0-x235.google.com (mail-ea0-x235.google.com [IPv6:2a00:1450:4013:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id CC20121F979B for <oauth@ietf.org>; Mon, 29 Apr 2013 04:36:34 -0700 (PDT)
Received: by mail-ea0-f181.google.com with SMTP id a11so2475730eae.26 for <oauth@ietf.org>; Mon, 29 Apr 2013 04:36:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=qdozAUrdIuDG24v9KOeqcp6Xuz79bFgScNcsrW28nlI=; b=iHCLiKeeGIT4usXMaUZSUNiNqEVZp5f3zvuE1RX6lTB1XfoWp2plQKHpi48DnGsDck lNG+bKDXy6NT5CO1aSUCEClF8butl7IR6xxp5blC4cRRHJmmFLmmWhQPBnS5eFDeUMKM jhPq4uYC8i3DrxEiVDwvXHqGc0pzYt9qP3PwXrnqcUN51Ew/Z5qZjkHu9FtPoHRbv2vM wxKy4UICLPnjwbg0sOofVF7YsPoAJBaUioC+U7tTW+lrKsIPJ2Zr8vf2pRsrQRb7KmxO VO4Ersqjl8mF+mtSsccy1EtlDNJBy2UlDkToIlPhPJBuZLoNF6tQMg7VwvSOW1sckROr VqNg==
X-Received: by 10.15.36.135 with SMTP id i7mr90519179eev.34.1367235387796; Mon, 29 Apr 2013 04:36:27 -0700 (PDT)
Received: from [10.36.226.5] ([217.173.99.61]) by mx.google.com with ESMTPSA id cd3sm32308483eeb.6.2013.04.29.04.36.26 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 29 Apr 2013 04:36:26 -0700 (PDT)
Message-ID: <517E5B15.1010106@gmail.com>
Date: Mon, 29 Apr 2013 12:35:49 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: oauth@ietf.org
References: <CA+iS77CZ-A9ZDed_UAWH00X+QjY2DxfxSb6g+BeAWSL6iF++BA@mail.gmail.com> <CABzCy2DG5LAMmT3N4eSCd0Px0nHXBVFVt5ievyX-Jhiok+PTzw@mail.gmail.com>
In-Reply-To: <CABzCy2DG5LAMmT3N4eSCd0Px0nHXBVFVt5ievyX-Jhiok+PTzw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [OAUTH-WG] Implicit flow, scopes, and url length limit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2013 11:36:37 -0000
On 29/04/13 10:19, Nat Sakimura wrote: > Essentially, that is what OpenID Connect does with request_uri or > request object. > > In OpenID Connect, a client can register the request parameters to the > server before hand and get the reference to it called request_uri. Then, > it can be passed to the authorization server by an extensiion parameter > called request_uri. In this case, scope includes only "openid" > effectively saying "look at the registered request file for the details". > Should it be done in the next OAuth2 revision spec ? Seems like it's an OAuth2-level feature, except that a scope name would be more neutral, "client_registration" or similar... Cheers, Sergey > Best, > > Nat > > > 2013/4/28 Bojan Živanović <bojanz@gmail.com <mailto:bojanz@gmail.com>> > > Hi everyone, > I've written an oauth2 server for Drupal > (http://drupal.org/project/oauth2_server) based on the > https://github.com/bshaffer/oauth2-server-php PHP library. > My company is preparing a fairly large OAuth 2.0 deployment based on > that code. > > On the library level we recently discussed the problem of scopes in > the redirect urls during implicit flow. > > The URL limit is 2083 characters (imposed by Internet Explorer). > During the implicit flow, scope is passed in the URL. > If the server uses long scope names, and the client gets granted > several of those, it is possible to breach that limit (especially > since the domain name and the rest of the redirect url path is also > a part of that 2083 limit). > Has this problem been discussed previously, and what were the > conclusions? > > My idea was to introduce a setting that would cause scope to not be > passed through the redirect_url in this case, so that it is later > fetched through a separate resource (we have a "tokens" resource > just like GitHub, Facebook and Google do, for getting all > information about the passed token. Calling this resource from the > server side after an implicit flow allows us to avoid the > http://homakov.blogspot.com/2012/08/oauth2-one-accesstoken-to-rule-them-all.html > attack). > > Thoughts? > > Thanks, > Bojan > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Implicit flow, scopes, and url length … Bojan Živanović
- Re: [OAUTH-WG] Implicit flow, scopes, and url len… Nat Sakimura
- Re: [OAUTH-WG] Implicit flow, scopes, and url len… Sergey Beryozkin