The spec should describe how the redirect URI is verified to what is registered. I can enumerate the options for discussion adding in the state parameter as an option.
On 2010-04-18, at 10:16 PM, Eran Hammer-Lahav wrote: > This is where limiting variations to a client state parameter helps, but > consensus was that we cannot limit clients not to use local query parameters > outside the state. > > The problem with giving specific guidance is that it can open security holes. > For example, not checking the value of a query parameter can turn the > callback into an open redirector. On the other hand, limiting the sub-domain > can make scalability harder. > > Care to propose text? > > EHL > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Dick Hardt >> Sent: Sunday, April 18, 2010 9:22 PM >> To: OAuth WG >> Subject: [OAUTH-WG] Clarification: authorization server matching of redirect >> URI >> >> Some AS will match part of the URI to what was registered, some require >> everything up to the start of a query. The spec needs to clarify how much of >> the URI needs to be matched, or state it is AS specified. >> >> -- Dick >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
