On Tue, Nov 26, 2019 at 7:20 AM Daniel Fett <f...@danielfett.de> wrote:
> Am 26.11.19 um 14:24 schrieb Karsten Meyer zu Selhausen: > > Depending on its implementation the client might simply extract all data > > contained in the Client Information Response and use it for > > authorizations with the specific AS. > > We were able to confirm that one popular open-source library behaves in > > this exact way. It stores the redirect URI contained in the Client > > Information Response and uses it for Authorization Requests with the > > A-AS although it differs from the redirect URI in the Client > > Registration Request. > > The client uses untrusted, unverified data to make its decision on what > redirect URI to use. > > Nonetheless, we should definitely mention this in the BCP! > RFC 7591 basically says that the AS can replace/substitute/augment any of the client registration info and leaves it up to the client as to how to handle differences from what was requested. There are quite a few things that just wouldn't make sense for the AS to change and some like redirect URI that could potentially be dangerous. Perhaps the BCP should mention the situation and recommend that a client not proceed if the redirect URIs (and others?) don't align with what was requested. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
