Clarify redirection proposal. See #117. #118
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -533,11 +533,13 @@ for certificate validation and other security considerations. | |
|
|
||
| This specification makes extensive use of HTTP redirections, in which | ||
| the client or the authorization server directs the resource owner's | ||
| user agent to another destination. | ||
| While this specification | ||
| forbids the use of the 307 status code (see {{redirect_307}}) | ||
| and illustrates the use of the 302 status code, | ||
| any other mechanism to accomplish the above redirection | ||
| is legitimate and is considered as an implementation detail as long as | ||
| it does not expose user credentials to untrusted parties. | ||
|
|
||
|
|
||
| ## Interoperability | ||
|
|
@@ -966,35 +968,38 @@ Extension grant types MAY define additional endpoints as needed. | |
| ## Authorization Endpoint | ||
|
|
||
| The authorization endpoint is used to interact with the resource | ||
| owner and obtain an authorization grant. The AS | ||
|
There was a problem hiding this comment. how is this proposed change related to redirects? |
||
| MUST first authenticate the resource owner. The way in | ||
| which the AS authenticates the resource owner | ||
| (e.g., username and password login, session cookies) is beyond the | ||
| scope of this specification. | ||
|
|
||
| The means through which the client obtains the URL of the | ||
ioggstream marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| authorization endpoint are beyond the scope of this specification, | ||
| but the URL is typically provided in the service documentation, | ||
| or in the authorization server's metadata document ({{RFC8414}}). | ||
|
|
||
|
There was a problem hiding this comment. if it's a location, it's an URL, right? There was a problem hiding this comment. I think this is in there to make sure clients don't make assumptions that the authorization server URL might not contain a query string. Also note that just below this there's a limit that the URL can't contain a fragment, so I think it's worth pointing out still. There was a problem hiding this comment. Yes, but without an explicit mention, I suspect a lot of people would assume the URL would not contain a query string, especially because it's pretty uncommon for it to do so in practice. There was a problem hiding this comment.
we explicitly mention the query component in the lines below - that are not removed - so people are told that URLs have query component. |
||
| The authorization endpoint URL: | ||
|
|
||
| - MUST NOT include a fragment component; | ||
| - MAY include an "application/x-www-form-urlencoded" | ||
| formatted query component {{WHATWG.URL}}, | ||
| which MUST be retained when adding additional query parameters. | ||
|
|
||
| The authorization endpoint | ||
| MUST support GET requests (see Section 9.3.1 of {{RFC9110}}) | ||
| and MAY support POST requests (see Section 9.3.3 of {{RFC9110}}). | ||
|
|
||
| The authorization endpoint MUST ignore unrecognized request parameters. | ||
|
|
||
| Request and response parameters | ||
| defined by this specification MUST NOT be included more than once. | ||
| Parameters sent without a value MUST be treated as if they were | ||
| omitted from the request. | ||
|
|
||
| An authorization endpoint that redirects a request potentially containing | ||
|
There was a problem hiding this comment. @aaronpk I reworded it removing normative language. This is because we cannot forbid to accidentally do something ;) instead it is better to suggest how to mitigate the risk. |
||
| user credentials is expected to define a trust boundary and to not | ||
| forward these credentials outside it | ||
| (see {{redirect_307}} for details). | ||
|
|
||
| ## Token Endpoint | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the rationale for this suggested change?