Pre-registration of redirect uris with PAR

Issue #320 wontfix
Dave Tonge created an issue

FAPI 1.0 part 1 requires per-registration of redirect_uris

PAR allows this to be relaxed:

I think we need a clause in FAPI 1.0 part 2 to reflect this, e.g

when using [PAR], may allow the client to use redirect_uris that have not been pre-registered

Comments (2)

  1. Joseph Heenan

    Interestingly when writing the PAR certification tests I’d interpreted this the other way around, assuming the FAPI part 1 overrode/tightened up the PAR text.

    I think allowing it does change the security model a little; in particular I think [particularly in ecosystems like OBUK & CDR where redirect uris are managed in a directory] allowing per-request redirect urls makes it easier for an attacker that has stolen the private key for a client to use those credentials. I don’t remember exactly what our attacker model is - a client losing control of it’s credentials is clearly a significant event but I’m not sure if we view that as ‘game over' event that it’s not worth mitigating against.

    Or put another way: allowing per-request redirect urls makes it substantially easier for some attackers to obtain authorization codes.

  2. Log in to comment