IETF Logo Mail Archive

Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri

Andrew Arnott <andrewarnott@gmail.com> Mon, 07 June 2010 17:19 UTC

Return-Path: <andrewarnott@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 793D33A6892 for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 10:19:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.648
X-Spam-Level:
X-Spam-Status: No, score=-0.648 tagged_above=-999 required=5 tests=[AWL=-0.650, BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxkaTr2QAF8w for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 10:19:38 -0700 (PDT)
Received: from mail-yw0-f171.google.com (mail-yw0-f171.google.com [209.85.211.171]) by core3.amsl.com (Postfix) with ESMTP id 1EC3428C38A for <oauth@ietf.org>; Mon, 7 Jun 2010 08:43:46 -0700 (PDT)
Received: by ywh1 with SMTP id 1so2935439ywh.22 for <oauth@ietf.org>; Mon, 07 Jun 2010 08:43:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:content-type; bh=s1kWxa2sr0aG/OmpR2zwaQZAJXADuDdaaajHaIRzeq0=; b=EhplGfvth5YcrnsujvCVcxU6RrjY2csz6T0bIaq8+r4xp8WKLeGh6RuLnTwIPRInKC Jzx9J/CUnl5Zi6xrpkNmeEseKK40CbZbmIAgXd5wXIDS/UT8MDclIGzwT+eeoxRcEV25 Wo1gVqapCf2cmtd/hXWSKLb5c9aR3/oePEku8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=br0o/Kuf8ipU8zP9qAGa8DdTqG4gaeKWdGYIqC1FK3eY8/pjS+QWJ2bJvVks32MLtQ GsJWQuRBoRiXqnJlBBcO4XoxEhoprvX6/ER3WWNzfd5njY+wJua+AaRG04qlEDnherp0 bMKSfRwlydSFVJeegLzIBbZVb5sq77smQaOQ8=
Received: by 10.150.208.10 with SMTP id f10mr13833997ybg.261.1275925423996; Mon, 07 Jun 2010 08:43:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.151.26.19 with HTTP; Mon, 7 Jun 2010 08:43:23 -0700 (PDT)
In-Reply-To: <AANLkTiltbpzsz82062o6z4xE-c7s8iopO6NADvziiAV0@mail.gmail.com>
References: <AANLkTikF2JB2wgCgsKEnUA4Jxz9Dj-lFd6dbnBLlWI_5@mail.gmail.com> <AANLkTinscdndCmYK-18ze8P2ClafH7OS_-djX21h3AXW@mail.gmail.com> <AANLkTiltbpzsz82062o6z4xE-c7s8iopO6NADvziiAV0@mail.gmail.com>
From: Andrew Arnott <andrewarnott@gmail.com>
Date: Mon, 07 Jun 2010 08:43:23 -0700
Message-ID: <AANLkTimLfR2v3Pi06rWA401_kpDFaurwmBxoV1viukUy@mail.gmail.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000e0cdf1baaab436a04887289e2"
Subject: Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 17:19:39 -0000

Rick, ...

On Sat, Jun 5, 2010 at 12:45 PM, Rick Olson <technoweenie@gmail.com> wrote:

> How else are you preregistered with the auth server?

I don't understand the question, sorry.

>  Why can't you
> just return the temporary code and rely on the JS or Desktop app to
> make another call to get the access token?  JSONP would work well for
> the response to JS apps.
>
Besides being less convenient for the clients, what would that accomplish?
I don't think it would improve security, if that's the objective, since the
clients still can't keep their own secrets and it's the secret that
accompany the follow-up request for an access token that prevent the
security problem in the other flows.

>
> On Sat, Jun 5, 2010 at 12:49 AM, Andrew Arnott <andrewarnott@gmail.com>
> wrote:
> > The user agent flow indicates that the redirect_uri SHOULD be
> preregistered
> > with the auth server for a given client.  I would like to suggest that
> the
> > SHOULD here be changed to MUST.  Unless I'm missing something, without a
> > preregistered redirect_uri any arbitrary client can obtain an access
> token
> > under the pretense of being another client, and thereby perhaps
> altogether
> > skip a user authorization prompt.
> >
> > As there will likely be a few popular client_id's in use, it will
> actually
> > make it trivially easy to obtain elevated access to private user data as
> a
> > rogue application.  This danger is unique to the user-agent flow because
> in
> > this flow the client_secret is not required to obtain the access token,
> > whereas it is for other flows.
> >
> > Thoughts?
> > --
> > Andrew Arnott
> > "I [may] not agree with what you have to say, but I'll defend to the
> death
> > your right to say it." - S. G. Tallentyre
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> >
>
>
>
> --
> Rick Olson
>

v2.23.0 | Report a Bug | By Email