Open SECtim opened 8 months ago
I believe this is the same as https://github.com/oauthstuff/draft-ietf-oauth-security-topics/issues/72, where did we land on language around this @danielfett?
Something like "You MUST avoid using names in the parameters registry for the endpoint in question https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters"
The URIs for the redirect and authorization endpoints may contain additional query parameters that must be retained when adding more parameters: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L860-L865 https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1118-L1121
Furthermore, query parameters must only appear once (this text appears in the description of the authorization and token endpoints, but is not explicitly mentioned for the redirection endpoint - nevertheless, the cited text already applies to all parameters defined by this spec): https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1129-L1130
This becomes a problem in (I admit, somewhat esoteric) cases where the endpoint URIs contain parameters such as
code
in a redirect URI, in that example, the AS would not be allowed to add itscode
parameter in the authorization response. But at the same time, the AS is required to do so: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1657-L1664I guess this is just a case of adding something like "redirect URI MUST NOT contain the parameters...".