This is where limiting variations to a client state parameter helps, but consensus was that we cannot limit clients not to use local query parameters outside the state.
The problem with giving specific guidance is that it can open security holes. For example, not checking the value of a query parameter can turn the callback into an open redirector. On the other hand, limiting the sub-domain can make scalability harder. Care to propose text? EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Dick Hardt > Sent: Sunday, April 18, 2010 9:22 PM > To: OAuth WG > Subject: [OAUTH-WG] Clarification: authorization server matching of redirect > URI > > Some AS will match part of the URI to what was registered, some require > everything up to the start of a query. The spec needs to clarify how much of > the URI needs to be matched, or state it is AS specified. > > -- Dick > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
