Results 1 to 5 of 5

Thread: Multiple registered redirect URIs

  1. Mar 2nd, 2012, 05:49 AM #1
    wjrsimpson
    wjrsimpson is offline Junior Member
    Join Date
    Nov 2011
    Posts
    6

    Default Multiple registered redirect URIs

    Hi,

    OAuth2 specification (v2-23) seems to say that multiple redirect URIs can be pre-registered with the provider.

    If multiple redirection URIs have been registered, if only part of
    the redirection URI has been registered, or if no redirection URI has
    been registered, the client MUST include a redirection URI with the
    authorization request using the "redirect_uri" request parameter.

    When a redirection URI is included in an authorization request, the
    authorization server MUST compare and match the value received
    against at least one of the registered redirection URIs (or URI
    components) as defined in [RFC3986] section 6, if any redirection
    URIs were registered. If the client registration included the full
    redirection URI, the authorization server MUST compare the two URIs
    using simple string comparison as defined in [RFC3986] section 6.2.1.
    Is this possible with Spring OAuth?

    (It seems it only possible to pre-register one redirect URI, because the ClientDetails interface only has a property for one webServerRedirectUri.)

    Best regards,

    Will
    Reply With Quote Reply With Quote
  2. Mar 2nd, 2012, 08:25 AM #2
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,230

    Default

    Correct. Why do you need multiple registered redirects?
    Reply With Quote Reply With Quote
  3. Mar 2nd, 2012, 09:41 AM #3
    wjrsimpson
    wjrsimpson is offline Junior Member
    Join Date
    Nov 2011
    Posts
    6

    Default

    Hi Dave,

    I am working on ORCID.

    Some of the potential users of the ORCID REST API are publishers. In some cases they have several hundred or even thousands of different journals that will interact with the ORCID API, which will be using Spring Security OAuth.

    They have asked if they can use one client ID for all of their journals, because that will be easier for them to manage. However, they want users to be redirected back to the correct journal after they have authorized access to their data.

    So, we'd like to allow them to register a different redirect URI for each journal. They would pass the redirect URI for the journal when they send the user to ORCID for authorization, and we would like to validate that against a list of allowed values for the client.

    Best regards,

    Will
    Reply With Quote Reply With Quote
  4. Mar 2nd, 2012, 10:44 AM #4
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,230

    Default

    I see. I guess your client could register a single callback and then bounce from there to the selected journal quite easily (that's quite normal I think), so this doesn't seem like a showstopper. But we can think about multi-valued redirects for the framework as well. It doesn't have a high priority for me right now, but feel free to open a JIRA for tracking the requirement. If you want to contribute some code read the README and fill in the contributor's agreement.
    Reply With Quote Reply With Quote
  5. Mar 2nd, 2012, 11:30 AM #5
    wjrsimpson
    wjrsimpson is offline Junior Member
    Join Date
    Nov 2011
    Posts
    6

    Default

    Thanks, Dave.

    Understood.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules