I'd like to get a standard for redirect URI matching, but think this may not be feasible - we are leaving the callback URI registration mechanism undefined and I've heard a number of different mechanisms that companies want to support.
I think we should leave the matching undefined, possibly with a SHOULD for the most common matching mechanism (URL prefix?) I'm not hugely worried about incompatibilities between different AS on this front: 1. Clients will push us strongly towards compatible implementations. 2. Clients can always set up a redirector if needed for a specific AS (as an aside - we need a document detailing how to build a redirector properly without becoming an open redirector). On Sun, May 16, 2010 at 11:20 AM, Dick Hardt <dick.ha...@gmail.com> wrote: > > > On Tue, May 11, 2010 at 11:31 PM, Luke Shepard <lshep...@facebook.com>wrote: > >> FWIW, Facebook does not do strict equality matching on redirect_uri. We >> accept any redirect_uri that has either: >> >> - its prefix is the registered url >> - or it is a special facebook.com/xd_proxy.php url, with an origin >> parameter that has a prefix on the registered url >> >> I think that the spec should leave the matching up to the server. > > > If the matching is left to an arbitrary, server defined algorithm, we lose > interop since a client implementation may make assumptions on what may be > allowed in the redirect_uri at one AS and then not be able to work with > another AS that is more restrictive. > > As this is a security feature, I'd like to hear the options from the > security oriented participants with experience here. > > Allen / Brian? > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
