Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Handling of colliding URI query parameter names #171

Open
SECtim opened this issue Feb 28, 2024 · 2 comments
Open

Handling of colliding URI query parameter names #171

SECtim opened this issue Feb 28, 2024 · 2 comments
Milestone

Comments

@SECtim
Copy link

SECtim commented Feb 28, 2024

The URIs for the redirect and authorization endpoints may contain additional query parameters that must be retained when adding more parameters:

The redirect URI MUST be an absolute URI as defined by
{{RFC3986}} Section 4.3. The redirect URI MAY include an
"application/x-www-form-urlencoded" formatted query
component ({{WHATWG.URL}}), which MUST be retained when adding
additional query parameters. The redirect URI MUST NOT include a
fragment component.

The authorization endpoint URL MUST NOT include a fragment component,
and MAY include an "application/x-www-form-urlencoded" formatted
query component {{WHATWG.URL}}, which MUST be retained when adding
additional query parameters.

Furthermore, query parameters must only appear once (this text appears in the description of the authorization and token endpoints, but is not explicitly mentioned for the redirection endpoint - nevertheless, the cited text already applies to all parameters defined by this spec):

Request and response parameters
defined by this specification MUST NOT be included more than once.

This becomes a problem in (I admit, somewhat esoteric) cases where the endpoint URIs contain parameters such as code in a redirect URI, in that example, the AS would not be allowed to add its code parameter in the authorization response. But at the same time, the AS is required to do so:

If the resource owner grants the access request, the authorization
server issues an authorization code and delivers it to the client by
adding the following parameters to the query component of the
redirect URI using the `application/x-www-form-urlencoded` format,
per {{application-x-www-form-urlencoded}}:
"code":
: REQUIRED. The authorization code is generated by the

I guess this is just a case of adding something like "redirect URI MUST NOT contain the parameters...".

@aaronpk
Copy link
Member

aaronpk commented May 11, 2024

I believe this is the same as oauthstuff/draft-ietf-oauth-security-topics#72, where did we land on language around this @danielfett?

@aaronpk
Copy link
Member

aaronpk commented Nov 20, 2024

Something like "You MUST avoid using names in the parameters registry for the endpoint in question https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters"

@aaronpk aaronpk added this to the version -13 milestone Nov 20, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants