oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
52 stars 27 forks source link

Handling of colliding URI query parameter names #171

Open SECtim opened 8 months ago

SECtim commented 8 months ago

The URIs for the redirect and authorization endpoints may contain additional query parameters that must be retained when adding more parameters: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L860-L865 https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1118-L1121

Furthermore, query parameters must only appear once (this text appears in the description of the authorization and token endpoints, but is not explicitly mentioned for the redirection endpoint - nevertheless, the cited text already applies to all parameters defined by this spec): https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1129-L1130

This becomes a problem in (I admit, somewhat esoteric) cases where the endpoint URIs contain parameters such as code in a redirect URI, in that example, the AS would not be allowed to add its code parameter in the authorization response. But at the same time, the AS is required to do so: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1657-L1664

I guess this is just a case of adding something like "redirect URI MUST NOT contain the parameters...".

aaronpk commented 6 months ago

I believe this is the same as https://github.com/oauthstuff/draft-ietf-oauth-security-topics/issues/72, where did we land on language around this @danielfett?

aaronpk commented 1 day ago

Something like "You MUST avoid using names in the parameters registry for the endpoint in question https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters"