Pre-registration of redirect uris with PAR
Issue #320
wontfix
FAPI 1.0 part 1 requires per-registration of redirect_uris
PAR allows this to be relaxed: https://tools.ietf.org/html/draft-ietf-oauth-par-04#section-2.4
I think we need a clause in FAPI 1.0 part 2 to reflect this, e.g
when using [PAR], may allow the client to use redirect_uris that have not been pre-registered
Comments (5)
-
-
- changed status to wontfix
To be included in FAPI 2.0. It is will impact the claim that FAPI 1.0 is formally verified.
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
Interestingly when writing the PAR certification tests I’d interpreted this the other way around, assuming the FAPI part 1 overrode/tightened up the PAR text.
I think allowing it does change the security model a little; in particular I think [particularly in ecosystems like OBUK & CDR where redirect uris are managed in a directory] allowing per-request redirect urls makes it easier for an attacker that has stolen the private key for a client to use those credentials. I don’t remember exactly what our attacker model is - a client losing control of it’s credentials is clearly a significant event but I’m not sure if we view that as ‘game over' event that it’s not worth mitigating against.
Or put another way: allowing per-request redirect urls makes it substantially easier for some attackers to obtain authorization codes.