Re: [OAUTH-WG] Issue: state in web server flow
Marius Scurtescu <mscurtescu@google.com> Mon, 19 April 2010 17:24 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E4883A6A37 for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 10:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.721
X-Spam-Level:
X-Spam-Status: No, score=-101.721 tagged_above=-999 required=5 tests=[AWL=0.256, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uAAm3kf4+J1D for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 10:24:55 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 486923A6B28 for <oauth@ietf.org>; Mon, 19 Apr 2010 10:18:13 -0700 (PDT)
Received: from wpaz33.hot.corp.google.com (wpaz33.hot.corp.google.com [172.24.198.97]) by smtp-out.google.com with ESMTP id o3JHI2IF005397 for <oauth@ietf.org>; Mon, 19 Apr 2010 19:18:03 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1271697483; bh=OqZWwer75Uo4HYY97J5g8Gz4VpI=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=Pmac8KXHpn2hY0SzK9viUD941bB+sofycqP5yc83V4i0cGWykBbnezDPObbPgK2pB rGObwUcX5YuIiSxdjySnw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=c4rlrzbOJ6hElTJ/9ga5dlqpQt2QEGlpOVT7+WCgmHxBFvufsZ41IWQiWdKb9gHTP 1MFwBIzks6bBT76loylVA==
Received: from pwi2 (pwi2.prod.google.com [10.241.219.2]) by wpaz33.hot.corp.google.com with ESMTP id o3JHI1Ts006075 for <oauth@ietf.org>; Mon, 19 Apr 2010 10:18:01 -0700
Received: by pwi2 with SMTP id 2so3375676pwi.28 for <oauth@ietf.org>; Mon, 19 Apr 2010 10:18:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.107.2 with HTTP; Mon, 19 Apr 2010 10:17:38 -0700 (PDT)
In-Reply-To: <4776FFF7-45E6-4945-9548-382A9DB84A95@gmail.com>
References: <1E39CE38-763E-4E3D-96D4-DC757BD53B9D@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4776FFF7-45E6-4945-9548-382A9DB84A95@gmail.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 19 Apr 2010 10:17:38 -0700
Received: by 10.141.107.19 with SMTP id j19mr4495054rvm.90.1271697479990; Mon, 19 Apr 2010 10:17:59 -0700 (PDT)
Message-ID: <r2v74caaad21004191017id7c48d54lc5ced6e9e164591e@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue: state in web server flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 17:24:55 -0000
On Sun, Apr 18, 2010 at 10:36 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > > On 2010-04-18, at 10:28 PM, Eran Hammer-Lahav wrote: > >> >> >>> -----Original Message----- >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >>> Of Dick Hardt >>> Sent: Sunday, April 18, 2010 9:20 PM >>> To: OAuth WG >>> Subject: [OAUTH-WG] Issue: state in web server flow >>> >>> Why was the state parameter removed from the web server flow? >> >> I didn't want to both define a state parameter *and* allow for any other client-specific parameters in redirection URIs. Because people made the point that *any* client-specific parameters are required, I proposed to drop the state parameter. After all, servers MUST send back whatever URI they receive regardless of it being encoded into a state parameter. >> >>> Some AS may require the entire redirect URI to be registered, so the state >>> parameter allows a client to maintain state across calls. >> >> I agree that this is useful, but it only makes the spec better if we make its use more restrictive. Defining it makes it easier for servers to validate the redirection URI, but only if the client is not allowed using other client-specific query parameters with it. > > Agreed > >> >> If people feel strongly about putting it back, I suggest we only allow it with callbacks without any query component as that is the only combination it adds value. > > Agreed I don't think it is possible to enforce callbacks without any query parameters. See the Drupal example. What we can enforce is that the registered callback and the actual callback have the exact same query parameters. Marius
- [OAUTH-WG] Issue: state in web server flow Dick Hardt
- Re: [OAUTH-WG] Issue: state in web server flow Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: state in web server flow Dick Hardt
- Re: [OAUTH-WG] Issue: state in web server flow Evan Gilbert
- Re: [OAUTH-WG] Issue: state in web server flow Marius Scurtescu
- Re: [OAUTH-WG] Issue: state in web server flow Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: state in web server flow Marius Scurtescu
- Re: [OAUTH-WG] Issue: state in web server flow Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: state in web server flow Marius Scurtescu