[OAUTH-WG] Issue 16, revised Redirection URI section (3.1.2)
"The authorization server redirects the user-agent to the client's redirection URI previously established with the authorization server during the client registration process." Conflicts with section 3.1.2.3, which allows to pass a redirect_uri via URI query parameter. 3.1.2.1 Endpoint Confidentiality What does "endpoint" confidentiality mean? Which endpoint does this text refer to? The client's redirect_uri endpoint? The text, in my opinion, covers two different scenarios: first paragraph: confidentiality of access tokens and authz codes in transit. second paragraph/last sentence: men-in-the-middle attacks Those attacks are also covered in sections 10.5 and 10.8. 3.1.2.5. Endpoint Content As this section discusses security aspects of the client's implementation of the redirect_uri page, shouldn't this go to the security considerations section? regards, Torsten. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Issue 16, revised Redirection URI section (3.1.2)
> -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Torsten Lodderstedt > Sent: Wednesday, July 20, 2011 2:15 PM > "The authorization server redirects the user-agent to the > client's redirection URI previously established with the > authorization server during the client registration process." > > Conflicts with section 3.1.2.3, which allows to pass a redirect_uri via URI > query parameter. Added 'or when initiating the authorization request' > 3.1.2.1 Endpoint Confidentiality > > What does "endpoint" confidentiality mean? Which endpoint does this text > refer to? The client's redirect_uri endpoint? This is a sub-section of the Redirection URI endpoint. > 3.1.2.5. Endpoint Content > > As this section discusses security aspects of the client's implementation of > the redirect_uri page, shouldn't this go to the security considerations > section? I think it is important enough to appear earlier. It is part of my effort to integrate concrete normative language from the security sections up to the protocol sections. EHL ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Issue 16, revised Redirection URI section (3.1.2)
Hi Eran, Am 25.07.2011 03:28, schrieb Eran Hammer-Lahav: -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Torsten Lodderstedt Sent: Wednesday, July 20, 2011 2:15 PM "The authorization server redirects the user-agent to the client's redirection URI previously established with the authorization server during the client registration process." Conflicts with section 3.1.2.3, which allows to pass a redirect_uri via URI query parameter. Added 'or when initiating the authorization request' 3.1.2.1 Endpoint Confidentiality What does "endpoint" confidentiality mean? Which endpoint does this text refer to? The client's redirect_uri endpoint? This is a sub-section of the Redirection URI endpoint. ok, but how can an endpoint be confidential? 3.1.2.5. Endpoint Content As this section discusses security aspects of the client's implementation of the redirect_uri page, shouldn't this go to the security considerations section? I think it is important enough to appear earlier. It is part of my effort to integrate concrete normative language from the security sections up to the protocol sections. Understood and in support for this approach. Wouldn't this mean to remove some text from section 10 in order to prevent redundancies? Regarding this particular section: I think the two different issues (transport security and endpoint authenticity) should be presented separately. regards, Torsten. EHL ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Issue 16, revised Redirection URI section (3.1.2)
> -Original Message- > From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] > Sent: Monday, July 25, 2011 7:19 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Issue 16, revised Redirection URI section (3.1.2) > > Hi Eran, > > Am 25.07.2011 03:28, schrieb Eran Hammer-Lahav: > > > >> -Original Message- > >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On > >> Behalf Of Torsten Lodderstedt > >> Sent: Wednesday, July 20, 2011 2:15 PM "The authorization server > >> redirects the user-agent to the > >> client's redirection URI previously established with the > >> authorization server during the client registration process." > >> > >> Conflicts with section 3.1.2.3, which allows to pass a redirect_uri > >> via URI query parameter. > > Added 'or when initiating the authorization request' > > > >> 3.1.2.1 Endpoint Confidentiality > >> > >> What does "endpoint" confidentiality mean? Which endpoint does this > >> text refer to? The client's redirect_uri endpoint? > > This is a sub-section of the Redirection URI endpoint. > > ok, but how can an endpoint be confidential? Good point. I'll change it to 'Endpoint Request Confidentiality'. > >> 3.1.2.5. Endpoint Content > >> > >> As this section discusses security aspects of the client's > >> implementation of the redirect_uri page, shouldn't this go to the > >> security considerations section? > > I think it is important enough to appear earlier. It is part of my effort to > integrate concrete normative language from the security sections up to the > protocol sections. > > > > Understood and in support for this approach. Wouldn't this mean to remove > some text from section 10 in order to prevent redundancies? Which text? Duplication of security text is fine as long as it is consistent. > Regarding this particular section: I think the two different issues (transport > security and endpoint authenticity) should be presented separately. Which section? EHL ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Issue 16, revised Redirection URI section (3.1.2)
Hi Eran, Regarding this particular section: I think the two different issues (transport security and endpoint authenticity) should be presented separately. Which section? 3.1.2.1. regards, Torsten. EHL ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Issue 16, revised Redirection URI section (3.1.2)
Since these issues are covered in the security section, I think it is enough to simply stress the importance of using TLS for the redirection endpoint and leave the more detailed analysis for later in the document. But if you want to propose new text, I'm open to it. EHL > -Original Message- > From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] > Sent: Monday, July 25, 2011 10:27 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Issue 16, revised Redirection URI section (3.1.2) > > Hi Eran, > > >> Regarding this particular section: I think the two different issues > >> (transport security and endpoint authenticity) should be presented > separately. > > Which section? > > 3.1.2.1. > > regards, > Torsten. > > > EHL ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth