To add to that, should it include the words "case sensitive" (if that is
what is meant by exact), Although, URL's are not case sensitive in all
cases, (IIS vs. Tomcat) which makes me think that specifying the case
sensitivity is wise.
On 5/13/20 00:50, Janak Amarasena wrote:
Hi All,
In section *4.1.3. Countermeasures
<https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-4.1.3>*
related to *4.1. Insufficient Redirect URI Validation* it states
The complexity of implementing and managing pattern matching
correctly obviously causes security issues. This document therefore
advises to simplify the required logic and configuration by using
exact redirect URI matching only. This means the authorization
server MUST compare the two URIs using simple string comparison as
defined in[RFC3986], Section 6.2.1
<https://tools.ietf.org/html/rfc3986#section-6.2.1>.
Does this mean that the authorisation server MUST NOT use pattern
matching at all and MUST do simple string comparison for redirect URI?
If that is the case can we change the wording a bit in this section as
having "...therefore *advises* to simplify the required logic..."
gives the impression that the AS has the choice to decide whether or
not to use pattern matching. And then when we have "...authorization
server *MUST* compare the two URIs using simple string..." give the
impression that the AS should absolutely not(MUST NOT) use pattern
matching.
--
-----
Jared L Jennings
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
