Re: [OAUTH-WG] redircet_uri matching algorithm
Pedro Igor Silva <psilva@redhat.com> Thu, 21 May 2015 20:25 UTC
Return-Path: <psilva@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95EE71A8A83 for <oauth@ietfa.amsl.com>; Thu, 21 May 2015 13:25:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.756
X-Spam-Level:
X-Spam-Status: No, score=-1.756 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OH78heOt9xJS for <oauth@ietfa.amsl.com>; Thu, 21 May 2015 13:25:55 -0700 (PDT)
Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com [209.132.183.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ED781A8992 for <oauth@ietf.org>; Thu, 21 May 2015 13:25:55 -0700 (PDT)
Received: from zmail12.collab.prod.int.phx2.redhat.com (zmail12.collab.prod.int.phx2.redhat.com [10.5.83.14]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t4LKPoYa013725; Thu, 21 May 2015 16:25:50 -0400
Date: Thu, 21 May 2015 16:25:49 -0400
From: Pedro Igor Silva <psilva@redhat.com>
To: Antonio Sanso <asanso@adobe.com>
Message-ID: <879444027.2844650.1432239949648.JavaMail.zimbra@redhat.com>
In-Reply-To: <C92B190E-A25F-4552-8768-DD43C9F0D0C7@adobe.com>
References: <46886BA8-B8E1-494F-9F5D-4DB6AE0BEB99@paroga.com> <12863D78-C7CC-4E71-B4F6-09556B8E4F2B@ve7jtb.com> <C92B190E-A25F-4552-8768-DD43C9F0D0C7@adobe.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [10.97.5.11]
X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - GC43 (Linux)/8.0.6_GA_5922)
Thread-Topic: [OAUTH-WG] redircet_uri matching algorithm
Thread-Index: AQHQkxZIC64/7LlpzE6fDYtDbYo7452Ft1+AgABZ6YB9lN9i4g==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/x9bmurOzO9jd45vpC13hugC3Uqg>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] redircet_uri matching algorithm
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 20:25:56 -0000
----- Original Message ----- > From: "Antonio Sanso" <asanso@adobe.com> > To: "John Bradley" <ve7jtb@ve7jtb.com> > Cc: oauth@ietf.org > Sent: Thursday, May 21, 2015 4:41:28 AM > Subject: Re: [OAUTH-WG] redircet_uri matching algorithm > > > On May 21, 2015, at 4:35 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > > > I think the correct answer is that clients should always assume exact > > redirect_uri matching, and servers should always enforce it. > > > > Anything else is asking for trouble. > > FWIW I completely agree with John here… > > regards > > antonio +1 > > > > > > If clients need to maintain some state the correct thing to do is use the > > state parameter, and not append extra path or query elements to there > > redirect_uri. > > > > A significant number of security problems in the wild come from servers not > > enforcing this. > > > > I may be taking an excessively hard line, but partial matching is not > > something we should be encouraging by making easier. > > > > I did do a draft on a way to safely use state > > https://tools.ietf.org/id/draft-bradley-oauth-jwt-encoded-state-04.txt > > > > John B. > > > > > >> On May 16, 2015, at 4:43 AM, Patrick Gansterer <paroga@paroga.com> wrote: > >> > >> "OAuth 2.0 Dynamic Client Registration Protocol” [1] is nearly finished > >> and provides the possibility to register additional “Client Metadata”. > >> > >> OAuth 2.0 does not define any matching algorithm for the redirect_uris. > >> The latest information on that topic I could find is [1], which is 5 > >> years old. Is there any more recent discussion about it? > >> > >> I’d suggest to add an OPTIONAL “redirect_uris_matching_method” client > >> metadata. Possible valid values could be: > >> * “exact”: The “redirect_uri" provided in a redirect-based flow must match > >> exactly one of of the provided strings in the “redirect_uris” array. > >> * “prefix”: The "redirect_uri" must begin with one of the “redirect_uris”. > >> (e.g. "http://example.com/path/subpath” would be valid with > >> [“http://example.com/path/“, “http://example.com/otherpath/”]) > >> * “regex”: The provided “redirect_uris” are threatened as regular > >> expressions, which the “redirect_uri” will be matched against. (e.g. > >> “http://subdomain.example.com/path5/“ would be valid with > >> [“^http:\\/\\/[a-z]+\\.example\\.com\\/path\\d+\\/“] > >> > >> If not defined the server can choose any supported method, so we do not > >> break existing implementations. On the other side it allows an client to > >> make sure that a server supports a specific matching algorithm required > >> by the client. ATM a client has no possibility to know how a server > >> handles the redirect_uris. > >> > >> [1] http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-29 > >> [2] http://www.ietf.org/mail-archive/web/oauth/current/msg02617.html > >> > >> -- > >> Patrick Gansterer > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] redircet_uri matching algorithm Patrick Gansterer
- Re: [OAUTH-WG] redircet_uri matching algorithm David Waite
- Re: [OAUTH-WG] redircet_uri matching algorithm Bill Burke
- Re: [OAUTH-WG] redircet_uri matching algorithm Justin Richer
- Re: [OAUTH-WG] redircet_uri matching algorithm John Bradley
- Re: [OAUTH-WG] redircet_uri matching algorithm Antonio Sanso
- Re: [OAUTH-WG] redircet_uri matching algorithm Mike Jones
- Re: [OAUTH-WG] redircet_uri matching algorithm Bill Mills
- Re: [OAUTH-WG] redircet_uri matching algorithm Pedro Igor Silva
- Re: [OAUTH-WG] redircet_uri matching algorithm Donald F. Coffin
- Re: [OAUTH-WG] redircet_uri matching algorithm Patrick Gansterer