We knew that's a bad practice and causes woes that OIDC mandated exact match before the completion of OAuth. I wish we have insisted more on it. Oh, well. On Tue, May 17, 2016 at 15:34 Antonio Sanso <[email protected]> wrote:
> hi, > > FWIW Facebook is not the only one here. > Many OAuth provider do not do exact matching redirect uri validation. > Github for example is another…. > > regards > > antonio > > On May 10, 2016, at 10:23 AM, Daniel Fett <[email protected]> wrote: > > It does not work if the AS does not check the redirect URI completely. > Facebook being the main example here, and I guess they won't change this > soon (for backwards compatibility). Adding the iss parameter won't break > things. > > -Daniel > > Am 09.05.2016 um 05:45 schrieb Nat Sakimura: > > Hi Daniel, > > May I ask again why separate redirect uri would not work for mix-up? > (I know, it does not work for cut-n-paste.) > > Thanks, > > Nat > > 2016年5月5日(木) 23:28 Daniel Fett <[email protected] > <mailto:[email protected] <[email protected]>>>: > > Am 23.04.2016 um 13:47 schrieb Torsten Lodderstedt: > > I'm very much interested to find a solution within the OAuth realm as > I'm not interested to either implement two solutions (for OpenId > > Connect > > and OAuth) or adopt a OpenId-specific solution to OAuth (use id! > > tokens > > in the front channel). I therefore would like to see progress and > propose to continue the discussion regarding mitigations for both > > threats. > > > https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00 > proposes reasonable mitigations for both attacks. There are > > alternatives > > as well: > - mix up: > -- AS specific redirect uris > -- Meta data/turi > (https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5) > - CnP: > -- use of the nonce parameter (as a distinct mitigation beside > > state for > > counter XSRF) > > > From our formal analysis of OAuth we are pretty confident that the > > mitigation proposed in draft-ietf-oauth-mix-up-mitigation-00 should be > sufficient against the Mix-Up attack. > > Cheers, > Daniel > > > -- > Informationssicherheit und Kryptografie > Universität Trier - Tel. 0651 201 2847 - H436 > > _______________________________________________ > OAuth mailing list > [email protected] <mailto:[email protected] <[email protected]>> > https://www.ietf.org/mailman/listinfo/oauth > > -- > Nat Sakimura > Chairman of the Board, OpenID Foundation > Trustee, Kantara Initiative > > > > -- > Informationssicherheit und Kryptografie > Universität Trier - Tel. 0651 201 2847 - H436 > > _______________________________________________ > OAuth mailing list > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura Chairman of the Board, OpenID Foundation Trustee, Kantara Initiative
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
