Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling of colliding URI query parameter names #171

Open
SECtim opened this issue Feb 28, 2024 · 1 comment
Open

Handling of colliding URI query parameter names #171

SECtim opened this issue Feb 28, 2024 · 1 comment

Comments

@SECtim
Copy link

SECtim commented Feb 28, 2024

The URIs for the redirect and authorization endpoints may contain additional query parameters that must be retained when adding more parameters:

oauth-v2-1/draft-ietf-oauth-v2-1.md

Lines 860 to 865 in f79f588

The redirect URI MUST be an absolute URI as defined by
{{RFC3986}} Section 4.3. The redirect URI MAY include an
"application/x-www-form-urlencoded" formatted query
component ({{WHATWG.URL}}), which MUST be retained when adding
additional query parameters. The redirect URI MUST NOT include a
fragment component.

oauth-v2-1/draft-ietf-oauth-v2-1.md

Lines 1118 to 1121 in f79f588

The authorization endpoint URL MUST NOT include a fragment component,
and MAY include an "application/x-www-form-urlencoded" formatted
query component {{WHATWG.URL}}, which MUST be retained when adding
additional query parameters.

Furthermore, query parameters must only appear once (this text appears in the description of the authorization and token endpoints, but is not explicitly mentioned for the redirection endpoint - nevertheless, the cited text already applies to all parameters defined by this spec):

oauth-v2-1/draft-ietf-oauth-v2-1.md

Lines 1129 to 1130 in f79f588

Request and response parameters
defined by this specification MUST NOT be included more than once.

This becomes a problem in (I admit, somewhat esoteric) cases where the endpoint URIs contain parameters such as code in a redirect URI, in that example, the AS would not be allowed to add its code parameter in the authorization response. But at the same time, the AS is required to do so:

oauth-v2-1/draft-ietf-oauth-v2-1.md

Lines 1657 to 1664 in f79f588

If the resource owner grants the access request, the authorization
server issues an authorization code and delivers it to the client by
adding the following parameters to the query component of the
redirect URI using the `application/x-www-form-urlencoded` format,
per {{application-x-www-form-urlencoded}}:
"code":
: REQUIRED. The authorization code is generated by the

I guess this is just a case of adding something like "redirect URI MUST NOT contain the parameters...".
@aaronpk
Copy link
Member

aaronpk commented May 11, 2024

I believe this is the same as oauthstuff/draft-ietf-oauth-security-topics#72, where did we land on language around this @danielfett?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aaronpk @SECtim