Open SECtim opened 8 months ago
The URIs for the redirect and authorization endpoints may contain additional query parameters that must be retained when adding more parameters: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L860-L865 https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1118-L1121
Furthermore, query parameters must only appear once (this text appears in the description of the authorization and token endpoints, but is not explicitly mentioned for the redirection endpoint - nevertheless, the cited text already applies to all parameters defined by this spec): https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1129-L1130
This becomes a problem in (I admit, somewhat esoteric) cases where the endpoint URIs contain parameters such as code in a redirect URI, in that example, the AS would not be allowed to add its code parameter in the authorization response. But at the same time, the AS is required to do so: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1657-L1664
code
I guess this is just a case of adding something like "redirect URI MUST NOT contain the parameters...".
I believe this is the same as https://github.com/oauthstuff/draft-ietf-oauth-security-topics/issues/72, where did we land on language around this @danielfett?
The URIs for the redirect and authorization endpoints may contain additional query parameters that must be retained when adding more parameters: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L860-L865 https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1118-L1121
Furthermore, query parameters must only appear once (this text appears in the description of the authorization and token endpoints, but is not explicitly mentioned for the redirection endpoint - nevertheless, the cited text already applies to all parameters defined by this spec): https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1129-L1130
This becomes a problem in (I admit, somewhat esoteric) cases where the endpoint URIs contain parameters such as
code
in a redirect URI, in that example, the AS would not be allowed to add itscode
parameter in the authorization response. But at the same time, the AS is required to do so: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1657-L1664I guess this is just a case of adding something like "redirect URI MUST NOT contain the parameters...".