Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
 with ESMTP id B1CBC11E80A1 for <oauth@ietfa.amsl.com>;
 Wed,  7 Mar 2012 16:22:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.526
X-Spam-Level: 
X-Spam-Status: No, score=-2.526 tagged_above=-999 required=5 tests=[AWL=0.072,
 BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVVaqoR0zpYg for
 <oauth@ietfa.amsl.com>; Wed,  7 Mar 2012 16:22:23 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net
 (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com
 (Postfix) with SMTP id D565D11E8094 for <oauth@ietf.org>;
 Wed,  7 Mar 2012 16:22:23 -0800 (PST)
Received: (qmail 17659 invoked from network); 8 Mar 2012 00:22:23 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by
 p3plex1out02.prod.phx3.secureserver.net with SMTP; 8 Mar 2012 00:22:23 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by
 P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi;
 Wed, 7 Mar 2012 17:22:07 -0700
From: Eran Hammer <eran@hueniverse.com>
To: Andrew Arnott <andrewarnott@gmail.com>,
 "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Wed, 7 Mar 2012 17:21:58 -0700
Thread-Topic: [OAUTH-WG] How an AS can validate the state parameter?
Thread-Index: AczvHDhFISNzBSQ3RAC7Me1xuWvrhQNpTaxQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453AFCD407E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CAE358b4oLN_AFWyt=G_9AE35TH7JEv=p9GorhTNdB3-Vj1NesA@mail.gmail.com>
In-Reply-To: <CAE358b4oLN_AFWyt=G_9AE35TH7JEv=p9GorhTNdB3-Vj1NesA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: multipart/alternative;
 boundary="_000_90C41DD21FB7C64BB94121FBBC2E723453AFCD407EP3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] How an AS can validate the state parameter?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2012 00:22:24 -0000

--_000_90C41DD21FB7C64BB94121FBBC2E723453AFCD407EP3PW5EX1MB01E_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Can't validate, but can sanitize.

EH

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of A=
ndrew Arnott
Sent: Sunday, February 19, 2012 7:36 AM
To: OAuth WG (oauth@ietf.org)
Subject: [OAUTH-WG] How an AS can validate the state parameter?

>From section 10.14: (draft 23)
The Authorization server and client MUST validate and sanitize any value re=
ceived, and in particular, the value of the state and redirect_uri paramete=
rs.

Elsewhere in the spec the AS is instructed to exactly preserve the state an=
d to consider it an opaque value.  How then, can an AS validate and sanitiz=
e the state parameter?

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death =
your right to say it." - S. G. Tallentyre

--_000_90C41DD21FB7C64BB94121FBBC2E723453AFCD407EP3PW5EX1MB01E_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"Content-Type" CONTENT=
=3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
oft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Verdana;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
tt
	{mso-style-priority:99;
	font-family:"Courier New";}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span style=3D'f=
ont-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Can&#8217=
;t validate, but can sanitize.<o:p></o:p></span></p><p class=3DMsoNormal><s=
pan style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F4=
97D'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span style=3D'font-s=
ize:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>EH<o:p></o:p><=
/span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:=
"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div styl=
e=3D'border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><d=
iv><div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0=
in 0in 0in'><p class=3DMsoNormal><b><span style=3D'font-size:10.0pt;font-fa=
mily:"Tahoma","sans-serif"'>From:</span></b><span style=3D'font-size:10.0pt=
;font-family:"Tahoma","sans-serif"'> oauth-bounces@ietf.org [mailto:oauth-b=
ounces@ietf.org] <b>On Behalf Of </b>Andrew Arnott<br><b>Sent:</b> Sunday, =
February 19, 2012 7:36 AM<br><b>To:</b> OAuth WG (oauth@ietf.org)<br><b>Sub=
ject:</b> [OAUTH-WG] How an AS can validate the state parameter?<o:p></o:p>=
</span></p></div></div><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=
=3DMsoNormal>From section 10.14: (draft 23)<o:p></o:p></p><p class=3DMsoNor=
mal><span style=3D'font-family:"Verdana","sans-serif";background:white'>The=
 Authorization server and client MUST validate and sanitize any value recei=
ved, and in particular, the value of the&nbsp;</span><tt><span style=3D'fon=
t-size:10.0pt;color:#003366;background:white'>state</span></tt><span style=
=3D'font-family:"Verdana","sans-serif";background:white'>&nbsp;and&nbsp;</s=
pan><tt><span style=3D'font-size:10.0pt;color:#003366;background:white'>red=
irect_uri</span></tt><span style=3D'font-family:"Verdana","sans-serif";back=
ground:white'>&nbsp;parameters.</span> <o:p></o:p></p><div><p class=3DMsoNo=
rmal><o:p>&nbsp;</o:p></p></div><div><p class=3DMsoNormal>Elsewhere in the =
spec the AS is instructed to exactly preserve the state and to consider it =
an opaque value. &nbsp;How then, can an AS validate and sanitize the state =
parameter?<o:p></o:p></p></div><div><p class=3DMsoNormal><br clear=3Dall>--=
<o:p></o:p></p></div><div><p class=3DMsoNormal>Andrew Arnott<br>&quot;I [ma=
y] not agree with what you have to say, but I'll defend to the death your r=
ight to say it.&quot; - S. G. Tallentyre<o:p></o:p></p></div></div></div></=
body></html>=

--_000_90C41DD21FB7C64BB94121FBBC2E723453AFCD407EP3PW5EX1MB01E_--