Re: [OAUTH-WG] redircet_uri matching algorithm

John Bradley <> Thu, 21 May 2015 02:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F2F1B1ACE88 for <>; Wed, 20 May 2015 19:35:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bYRoejFf2Xm5 for <>; Wed, 20 May 2015 19:35:48 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 007681ACE76 for <>; Wed, 20 May 2015 19:35:47 -0700 (PDT)
Received: by qceb3 with SMTP id b3so31627558qce.2 for <>; Wed, 20 May 2015 19:35:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=522JGDw8mij9YRtKE2mRqKdvqXiW9cyiuOQmRifcHwM=; b=LF+lK/T9xei1T8QQIQjk8dVqpAoAXTbR2ZTgETMTzotbN05HqvTeAN9Jmm1um08eym SzzWWxP+Pd8315qbP3hpZXXLdw7VNMO0lF50OCgjWClv1GB8Do43+pzfSfpF6TJDHMmZ M4D1+CHH5zGiHkzNU5T9uVITWMobXUDoz840Y77VTp3I6rwjBoHrByrjAps0sH4zlDO3 D7G+65FDSPXJOCKcZjCHrBgOzzN6E9MjFQNzCE82aSdifQ2qZt/Yme8o7eKZCMu+cE8Y 1e8sVvni+5mhTqZGiELT1ZXHkrRAoxXumCRoSCt76ATm0Qmx6AzDbZkaHFz4sK0M7Jsg KpqQ==
X-Gm-Message-State: ALoCoQnfBp+93Gtub2NR89fXUGqnUaqbKVEKIuLZ606VtkgoHUEhdNXCw1XofKVHg0T2cRDNFmZQ
X-Received: by with SMTP id m80mr623436qhb.14.1432175747175; Wed, 20 May 2015 19:35:47 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id 187sm12340029qhc.39.2015. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 20 May 2015 19:35:46 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: John Bradley <>
In-Reply-To: <>
Date: Wed, 20 May 2015 23:35:17 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Patrick Gansterer <>
X-Mailer: Apple Mail (2.2098)
Archived-At: <>
Subject: Re: [OAUTH-WG] redircet_uri matching algorithm
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 May 2015 02:35:50 -0000

I think the correct answer is that clients should always assume exact redirect_uri matching, and servers should always enforce it.  

Anything else is asking for trouble.

If clients need to maintain some state the correct thing to do is use the state parameter, and not append extra path or query elements to there redirect_uri.

A significant number of security problems in the wild come from servers not enforcing this.

I may be taking an excessively hard line, but partial matching is not something we should be encouraging by making easier.

I did do a draft on a way to safely use state

John B.

> On May 16, 2015, at 4:43 AM, Patrick Gansterer <> wrote:
> "OAuth 2.0 Dynamic Client Registration Protocol” [1] is nearly finished and provides the possibility to register additional “Client Metadata”.
> OAuth 2.0 does not define any matching algorithm for the redirect_uris. The latest information on that topic I could find is [1], which is 5 years old. Is there any more recent discussion about it?
> I’d suggest to add an OPTIONAL “redirect_uris_matching_method” client metadata. Possible valid values could be:
> * “exact”: The “redirect_uri" provided in a redirect-based flow must match exactly one of of the provided strings in the “redirect_uris” array.
> * “prefix”: The "redirect_uri" must begin with one of the “redirect_uris”. (e.g. "” would be valid with [““, “”])
> * “regex”: The provided “redirect_uris” are threatened as regular expressions, which the “redirect_uri” will be matched against. (e.g. ““ would be valid with [“^http:\\/\\/[a-z]+\\.example\\.com\\/path\\d+\\/“]
> If not defined the server can choose any supported method, so we do not break existing implementations. On the other side it allows an client to make sure that a server supports a specific matching algorithm required by the client. ATM a client has no possibility to know how a server handles the redirect_uris.
> [1]
> [2]
> --
> Patrick Gansterer
> _______________________________________________
> OAuth mailing list