IETF Logo Mail Archive

Re: [OAUTH-WG] Clarification: authorization server matching of redirect URI

Brian Eaton <beaton@google.com> Mon, 19 April 2010 15:57 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0E4F28C3A1 for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 08:57:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2FLRGv3nZ-lu for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 08:57:42 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id ACC8728C21D for <oauth@ietf.org>; Mon, 19 Apr 2010 08:37:04 -0700 (PDT)
Received: from kpbe13.cbf.corp.google.com (kpbe13.cbf.corp.google.com [172.25.105.77]) by smtp-out.google.com with ESMTP id o3JFaseu024715 for <oauth@ietf.org>; Mon, 19 Apr 2010 17:36:55 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1271691415; bh=grOpdGECTFajdIdQV/lAaieDqwc=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=lfZOAaTrnJJiE6iNXQEls5KTCLyU/8Psoslse4jdF7TC4TS/osBB/rX9oHuxzHudy 6fUH4ArBH0NgitXFG2EfA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=D6aFb/J/YPMGnnf5+h0XNtQt1LdmiG0YKtUYw0NE42Sbg8OLjRYHT97TW+BFW8CnJ ZFCK1ZnS9cTX42mfy8jvg==
Received: from vws11 (vws11.prod.google.com [10.241.21.139]) by kpbe13.cbf.corp.google.com with ESMTP id o3JFa7OO014170 for <oauth@ietf.org>; Mon, 19 Apr 2010 10:36:52 -0500
Received: by vws11 with SMTP id 11so2274995vws.17 for <oauth@ietf.org>; Mon, 19 Apr 2010 08:36:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.109.99 with HTTP; Mon, 19 Apr 2010 08:36:50 -0700 (PDT)
In-Reply-To: <65D588CD-A374-4F6B-8749-199C5DF83300@gmail.com>
References: <2997F829-4755-44A8-ADD5-643BCE25AA61@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <65D588CD-A374-4F6B-8749-199C5DF83300@gmail.com>
Date: Mon, 19 Apr 2010 08:36:50 -0700
Received: by 10.220.126.201 with SMTP id d9mr3707415vcs.106.1271691411578; Mon, 19 Apr 2010 08:36:51 -0700 (PDT)
Message-ID: <x2kdaf5b9571004190836l2595e181obdb977045e11c49e@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Clarification: authorization server matching of redirect URI
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 15:57:42 -0000

On Sun, Apr 18, 2010 at 10:35 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> The spec should describe how the redirect URI is verified to what is registered. I can enumerate the options for discussion adding in the state parameter as an option.

Note that there are two spots where the AS does some URI matching.

The first is before redirecting the user to the callback URI.  This
seems doomed to being service provider specific, unfortunately.

The second is when exchanging the verification code for the refresh
token and access token.  This can always be a string equality match.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email