Value of client_id MUST be equal to origin of the redirect_uri?

remotestorage / spec

remoteStorage Protocol Specification

https://tools.ietf.org/html/draft-dejong-remotestorage

87 stars 5 forks source link

Value of client_id MUST be equal to origin of the redirect_uri? #143

Closed michielbdejong closed 8 years ago

michielbdejong commented 8 years ago

Continuation of 'PS:' remark from https://github.com/remotestorage/spec/pull/141#issuecomment-165902749

I would sat 'SHOULD' not 'MUST', since you might want to ignore the rule if you implement a server for your own localhost use without this restriction.

Also, I would rephrase it from the server's perspective, so 'the server SHOULD reject OAuth requests where the client_id is not equal to the origin of the redirect_uri'.

untitaker commented 8 years ago

I'd opt for MUST, since it is a security-related matter.

The OAuth RFC also uses MUST for those kind of things, which are conveniently ignored in dev:

The authorization server MUST require the use of TLS as described in Section 1.6 when sending requests using password authentication.

But I don't see how ignoring relation between client_id and redirect_uri would be useful in any way in development?

Also, I would rephrase it from the server's perspective

:+1:

untitaker commented 8 years ago

Bump, I think this is eligible for 07