> -----Original Message-----
> From: Brian Eaton [mailto:[email protected]]
> Sent: Monday, April 19, 2010 8:37 AM
> To: Dick Hardt
> Cc: Eran Hammer-Lahav; OAuth WG
> Subject: Re: [OAUTH-WG] Clarification: authorization server matching of
> redirect URI
> 
> On Sun, Apr 18, 2010 at 10:35 PM, Dick Hardt <[email protected]> wrote:
> > The spec should describe how the redirect URI is verified to what is
> registered. I can enumerate the options for discussion adding in the state
> parameter as an option.
> 
> Note that there are two spots where the AS does some URI matching.
> 
> The first is before redirecting the user to the callback URI.  This seems
> doomed to being service provider specific, unfortunately.

I agree. If someone wants to suggest some security consideration text that 
would be good.

> The second is when exchanging the verification code for the refresh token
> and access token.  This can always be a string equality match.

It should be a case-sensitive string comparison with the value provided by the 
client in the first step.

EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to