The spec should describe how the redirect URI is verified to what is 
registered. I can enumerate the options for discussion adding in the state 
parameter as an option.

On 2010-04-18, at 10:16 PM, Eran Hammer-Lahav wrote:

> This is where limiting variations to a client state parameter helps, but 
> consensus was that we cannot limit clients not to use local query parameters 
> outside the state.
> 
> The problem with giving specific guidance is that it can open security holes. 
> For example, not checking the value of a query parameter can turn the 
> callback into an open redirector. On the other hand, limiting the sub-domain 
> can make scalability harder.
> 
> Care to propose text?
> 
> EHL
> 
>> -----Original Message-----
>> From: [email protected] [mailto:[email protected]] On Behalf
>> Of Dick Hardt
>> Sent: Sunday, April 18, 2010 9:22 PM
>> To: OAuth WG
>> Subject: [OAUTH-WG] Clarification: authorization server matching of redirect
>> URI
>> 
>> Some AS will match part of the URI to what was registered, some require
>> everything up to the start of a query. The spec needs to clarify how much of
>> the URI needs to be matched, or state it is AS specified.
>> 
>> -- Dick
>> _______________________________________________
>> OAuth mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to