Re: [OAUTH-WG] redircet_uri matching algorithm

David Waite <david@alkaline-solutions.com> Wed, 20 May 2015 17:38 UTC

Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2100\))
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <46886BA8-B8E1-494F-9F5D-4DB6AE0BEB99@paroga.com>
Date: Wed, 20 May 2015 11:37:33 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <4D918E17-C0B6-425F-9A1C-F54DC83F730A@alkaline-solutions.com>
References: <46886BA8-B8E1-494F-9F5D-4DB6AE0BEB99@paroga.com>
To: Patrick Gansterer <paroga@paroga.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/omRg5kT6nY0atjITtf6xUG7ItkI>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] redircet_uri matching algorithm
Precedence: list

> On May 16, 2015, at 1:43 AM, Patrick Gansterer <paroga@paroga.com> wrote:
> 
> "OAuth 2.0 Dynamic Client Registration Protocol” [1] is nearly finished and provides the possibility to register additional “Client Metadata”.
> 
> OAuth 2.0 does not define any matching algorithm for the redirect_uris. The latest information on that topic I could find is [1], which is 5 years old. Is there any more recent discussion about it?
> 
> I’d suggest to add an OPTIONAL “redirect_uris_matching_method” client metadata. Possible valid values could be:
> * “exact”: The “redirect_uri" provided in a redirect-based flow must match exactly one of of the provided strings in the “redirect_uris” array.
> * “prefix”: The "redirect_uri" must begin with one of the “redirect_uris”. (e.g. "http://example.com/path/subpath” would be valid with [“http://example.com/path/“, “http://example.com/otherpath/”])
> * “regex”: The provided “redirect_uris” are threatened as regular expressions, which the “redirect_uri” will be matched against. (e.g. “http://subdomain.example.com/path5/“ would be valid with [“^http:\\/\\/[a-z]+\\.example\\.com\\/path\\d+\\/“]

I don’t know if this is appropriate. For example, If a server is unwilling to support arbitrary regex matching, how would a client which required this be able to register dynamically? Or conversely: if a client did not require regex matching, why would they request this from a server?

If a client requests regex or prefix, it was built to rely on these to work. If some set of servers choose not to support regex or prefix for scope or security reasons, this hurts interoperability from the perspective of dynamic registration. And we already have a workaround - instead make your client rely on the state parameter.

A client doing code or implicit should specify exact return URLs in their registration, and if they need to send the user someplace else after authentication it should be represented to the client by their state param.

> If not defined the server can choose any supported method, so we do not break existing implementations. On the other side it allows an client to make sure that a server supports a specific matching algorithm required by the client. ATM a client has no possibility to know how a server handles the redirect_uris.

The clients should be more than reasonably safe in assuming exact matching works. If the server won’t support exact matching on the redirect_uris supplied it should fail registration.

-DW

[OAUTH-WG] redircet_uri matching algorithm Patrick Gansterer
Re: [OAUTH-WG] redircet_uri matching algorithm David Waite
Re: [OAUTH-WG] redircet_uri matching algorithm Bill Burke
Re: [OAUTH-WG] redircet_uri matching algorithm Justin Richer
Re: [OAUTH-WG] redircet_uri matching algorithm John Bradley
Re: [OAUTH-WG] redircet_uri matching algorithm Antonio Sanso
Re: [OAUTH-WG] redircet_uri matching algorithm Mike Jones
Re: [OAUTH-WG] redircet_uri matching algorithm Bill Mills
Re: [OAUTH-WG] redircet_uri matching algorithm Pedro Igor Silva
Re: [OAUTH-WG] redircet_uri matching algorithm Donald F. Coffin
Re: [OAUTH-WG] redircet_uri matching algorithm Patrick Gansterer