Re: [OAUTH-WG] Out-of-band code delivery and alternate redirect_uri schemes
Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 11 October 2012 05:15 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3740F21F86AB for <oauth@ietfa.amsl.com>; Wed, 10 Oct 2012 22:15:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.253
X-Spam-Level:
X-Spam-Status: No, score=-1.253 tagged_above=-999 required=5 tests=[AWL=-0.339, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_HEAD=1.334]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HdeyqYkkRyYM for <oauth@ietfa.amsl.com>; Wed, 10 Oct 2012 22:15:44 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.14]) by ietfa.amsl.com (Postfix) with ESMTP id 2E1DD21F8559 for <oauth@ietf.org>; Wed, 10 Oct 2012 22:15:43 -0700 (PDT)
Received: from [79.253.45.101] (helo=[192.168.71.108]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1TMB7V-0003Ze-Jf; Thu, 11 Oct 2012 07:15:42 +0200
User-Agent: K-9 Mail for Android
In-Reply-To: <106E8A07-FE5C-4BC9-B7C8-9EDAE0F9C53B@gmail.com>
References: <CAD+AFDvoCGkohSZV02tgi0dEVn42XJvcDHY_owvbcZz907WOLg@mail.gmail.com> <5075E379.7000502@lodderstedt.net> <106E8A07-FE5C-4BC9-B7C8-9EDAE0F9C53B@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----JMRP2I57VSA8X8E3SXYJHY4UV0VK4N"
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Thu, 11 Oct 2012 07:15:38 +0200
To: Pedro Felix <pmhsfelix@gmail.com>
Message-ID: <a6091a59-bee3-45da-9697-789688640cdc@email.android.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Out-of-band code delivery and alternate redirect_uri schemes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Oct 2012 05:15:45 -0000
So you assume to use resource owner's address? Regards, Torsten. Pedro Felix <pmhsfelix@gmail.com> schrieb: > > >> Hi Pedro, >> >> Am 10.10.2012 16:25, schrieb Pedro Felix: >>> 1) Out-of-band code transmission >>> >>> Currently Google OAuth2 implementation uses the special >"urn:ietf:wg:oauth:2.0:oob" to signal the Authorization Endpoint to >return an HTML page with the code, instead of a redirect. At first >sight, it seems a good idea, however it isn't in the OAuth 2 RFC. >>> a) What is the reason for the absence in the spec? >>> b) Is there any security problem associated with this usage? >>> >>> 2) Alternative "redirect_uri" schemes >>> >>> I'm also considering the use of alternative schemes on the >"redirect_uri". For instance, a client app could use the "mailto:" >scheme to instruct the Authorization Endpoint to send the code via >email. I know that a naive implementation can be subject to fixation >attacks, however >>> a) Weren't these scenarios considered by the working group? >>> b) Is there a major security flaw on this usage? >> >> What address should the authorization server send an e-mail to and >how would the app acquire this code? >> >> regards, >> Torsten. >The email address would be in the redirect_uri; the code would be >inserted into the client app explicitly by the user, after receiving >it. > >Thanks >Pedro > > >>> >>> Thanks >>> Pedro >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>
- [OAUTH-WG] Out-of-band code delivery and alternat… Pedro Felix
- Re: [OAUTH-WG] Out-of-band code delivery and alte… Torsten Lodderstedt
- Re: [OAUTH-WG] Out-of-band code delivery and alte… Pedro Felix
- Re: [OAUTH-WG] Out-of-band code delivery and alte… Torsten Lodderstedt