aaronpk
commented
5 months ago I believe this is the same as https://github.com/oauthstuff/draft-ietf-oauth-security-topics/issues/72, where did we land on language around this @danielfett?
Open SECtim opened 8 months ago
aaronpk
commented
5 months ago I believe this is the same as https://github.com/oauthstuff/draft-ietf-oauth-security-topics/issues/72, where did we land on language around this @danielfett?
The URIs for the redirect and authorization endpoints may contain additional query parameters that must be retained when adding more parameters: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L860-L865 https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1118-L1121
Furthermore, query parameters must only appear once (this text appears in the description of the authorization and token endpoints, but is not explicitly mentioned for the redirection endpoint - nevertheless, the cited text already applies to all parameters defined by this spec): https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1129-L1130
This becomes a problem in (I admit, somewhat esoteric) cases where the endpoint URIs contain parameters such as
codein a redirect URI, in that example, the AS would not be allowed to add itscodeparameter in the authorization response. But at the same time, the AS is required to do so: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1657-L1664I guess this is just a case of adding something like "redirect URI MUST NOT contain the parameters...".