On Sun, May 16, 2010 at 11:20 AM, Dick Hardt <dick.ha...@gmail.com> wrote: > If the matching is left to an arbitrary, server defined algorithm, we lose > interop since a client implementation may make assumptions on what may be > allowed in the redirect_uri at one AS and then not be able to work with > another AS that is more restrictive. > As this is a security feature, I'd like to hear the options from the > security oriented participants with experience here. > Allen / Brian?
We can do a session at IIW on this if people want. There are a few different use-cases to consider: - installed applications using the js profile or the web app profile It doesn't matter what you do, you can't authenticate the installed application. My recommendation here is to do something like what we've done with OAuth for installed apps [1]. - registered web apps with a secure client-secret You can allow *any* callback URL on the redirect. The callback URL is authenticated using the client-secret. We should all do strict equality matching when exchanging the verification code for refresh token and access token. - js profile, or web app profile where you don't completely trust the registration or the security of the client-secret We've got lots of service-provider specific behavior here. Unfortunately most service providers don't seem to be willing to change (or in some cases even document) what they are doing. So we're doomed unless we can get consensus from service providers that there needs to be consensus. =) Logic I've seen includes: - regular expressions - any callback URL on the fully-qualified hostname - any callback URL on a domain name. - fixed callback URL path, arbitrary callback URL query - fixed callback URL path, fixed callback URL query, one query parameter (wrap_state, or whatever we called it =) allowed to vary - any callback URL path under a particular directory I tried to summarize the risks in the security considerations I wrote up a few weeks ago. Check out the section on "Authentication Techniques" and "Web App Delegation Profile - Security Considerations". Cheers, Brian [1] http://code.google.com/apis/accounts/docs/OAuthForInstalledApps.html [2] http://trac.tools.ietf.org/wg/oauth/trac/wiki/SecurityConsiderations _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
