New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect URI is ambiguous in claims gathering flow #144
Comments
As a note, this is not really 1.0 errata as it would require extension of the OAuth client model in a potentially incompatible fashion. |
* issue_144: Suggestion for #144 Conflicts: draft-uma-core-v1_0_1.xml
Proposed, discussed, and reviewed in UMA telecon 2015-08-27 (though the WG definitely needs to review closely over the next week). We can close this, presuming Maciej has already implemented amendments made on the call. |
In §3.6.2.2, the reference to
Also I would say it MUST (not SHOULD) require registration otherwise it's an open redirector. |
Same notes for later text in the section talking about "redirection URI", they should all be "claims redirection URI" to be disambiguated from the normal redirection URI. |
Additional new text needed in §7.1, with particular mention that claims_redirect_uris is distinct from redirect_uris. |
Added @jricher ’s suggested wording to the claims redirect passages, and added “claims” to “redirection URI” everywhere. Didn’t change “SHOULD require all clients to register” into a MUST yet because OAuth has SHOULD; need to discuss.
In UMA ad hoc telecon 2015-09-08 (which had quorum), this was the discussion and conclusion: "The changes would, we feel, convince a quick reader used to OAuth spec reading that this redirection URI is something distinct!" We'll keep the change and close the issue. |
§3.4.1.2.2 details using a user redirection as a means of claims gathering. It uses the
redirect_uri
parameter to direct the user back to the client, and it says that this value "must match" something, but it doesn't define clearly enough what it must match. If this is intended to be theredirect_uri
defined in the OAuth client model, then this conflates processing responses from the authorization endpoint and responses from the remote RQP claims gathering endpoint. This is not likely the desired behavior, and the spec should specify a separate field from the client model. The best way to do this would be to extend the model as defined in the OAuth Dynamic Client Registration document, perhapsclaims_redirect_uri
.The current text:
The text was updated successfully, but these errors were encountered: