-
-
Notifications
You must be signed in to change notification settings - Fork 635
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal/discussion: OAuth - separate requirement for redirect_uri string-match registration and handling #1965
Comments
Probably I was the first one to say that redirect_uri validation is a duplicate of general open-redirect but now I think it's important to have them as a separate requirement:
I agree here, Elar. FYI: Redirect flows (login, etc) are often less likely to be amendable to allow-list validation than OAuth flows.
|
Hi @csfreak92 , let's find the agreement first in the issue and do PR. Discussion over PR's its complicated to follow. We also need to think, should we have one common requirement for OAuth and OIDC or not. I prefer requirement text with the idea like:
|
Understood, but I just pushed my PR since it has been sitting in my local for a while and I thought better to have it out there than get lost somewhere as I have worked on it the past few months. :) Can we agree over discussion and if they are already covered in the PR then that's good and then if not or needs some modifications, then I would modify them as needed? |
@elarlang, I like this text though, sorry missed it. How would a pre-registered list of allowed values be handled? Should we add a text in the chapter/section how this should be done? Also, string-match method seems like regex, right? |
I don't think we need to provide guidance for OAuth Client configuration.
No, it's the opposite. string-match against pre-registered list of full values says that you should not use any regex, substring, wildcard, etc. Provided redirect_uri value must exists in the pre-registered addresses list as it is. |
spin-off from #1916 "Discussion/Proposal 3"
Probably I was the first one to say that
redirect_uri
validation is a duplicate of general open-redirect but now I think it's important to have them as a separate requirement:redirect_uri
must be validated with the string-match method, which means no "wildcard" validations.There are 2 parts:
--
Feedback from @tghosth in #1916 (comment)
The text was updated successfully, but these errors were encountered: