0005410: OpenID Connect redirect_uris must actually be URIs

ID	Project	Category	View Status	Date Submitted	Last Update

0005410	GNUnet	other	public	2018-07-22 22:22	2019-02-28 11:17

Reporter	schanzen	Assigned To	schanzen
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	Git master
Target Version	0.11.0	Fixed in Version	0.11.0

Summary	0005410: OpenID Connect redirect_uris must actually be URIs
Description	In OpenID Connect / OAuth2 the "redirect_uri" parameter must be a valid URI (https://tools.ietf.org/html/rfc3986#section-4.3). Currently, in reclaim, it is simply a label in GNS, which means it _cannot_ be a URI due to character restrictions. For reclaim, the labels are looked up in the identity namespace represented by the "client_id". There, the _actual_ redirect_uri registered by the client can be found. A solution might be to use an actual redirect_uri and internally convert it to a label, e.g. by hashing and then encoding it.
Tags	No tags attached.

schanzen 2018-08-06 14:38 administrator ~0013180	The URI parameter must now be registered under the label "+" with a record of type of "RECLAIM_OIDC_REDIRECT". When a redirect_uri is given by a client ID "PKEY", reclaim will resolve +.PKEY (type=RECLAIM_OIDC_REDIRECT) and verify that the given redirect URI matches one or more redirect URIs found in the records. Setting a redirect URI in a local namespace essentially "registers" (in OIDC terms) a redirect URI for the client.

Date Modified	Username	Field	Change
2018-07-22 22:22	schanzen	New Issue
2018-07-22 22:22	schanzen	Status	new => assigned
2018-07-22 22:22	schanzen	Assigned To	=> schanzen
2018-08-06 14:38	schanzen	Status	assigned => resolved
2018-08-06 14:38	schanzen	Resolution	open => fixed
2018-08-06 14:38	schanzen	Note Added: 0013180
2019-02-20 12:24	Christian Grothoff	Fixed in Version	=> 0.11.0
2019-02-28 11:17	Christian Grothoff	Status	resolved => closed