IETF Logo Mail Archive

Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 18 August 2010 06:59 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 174383A6821 for <oauth@core3.amsl.com>; Tue, 17 Aug 2010 23:59:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.477
X-Spam-Level:
X-Spam-Status: No, score=-2.477 tagged_above=-999 required=5 tests=[AWL=0.121, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sd9Xi4iEUXmH for <oauth@core3.amsl.com>; Tue, 17 Aug 2010 23:59:27 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id A74C83A690A for <oauth@ietf.org>; Tue, 17 Aug 2010 23:59:27 -0700 (PDT)
Received: (qmail 32027 invoked from network); 18 Aug 2010 07:00:02 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 18 Aug 2010 07:00:02 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Wed, 18 Aug 2010 00:00:01 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Paul Tarjan <paul.tarjan@facebook.com>, OAuth WG <oauth@ietf.org>
Date: Wed, 18 Aug 2010 00:00:09 -0700
Thread-Topic: Returning HTTP 200 on Error for JSONP
Thread-Index: AQHLOy7WyjYGNn3uj0G9ZJ7bfvdE15Lmy+NA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343B3F1D7219@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <1643FCF1-841F-41FF-B8A8-43269320CFA8@facebook.com>
In-Reply-To: <1643FCF1-841F-41FF-B8A8-43269320CFA8@facebook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E72343B3F1D7219P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2010 06:59:34 -0000

I disagree.

The sole purpose of the specification is to achieve interop. By creating this exception for JSONP calls, you are breaking interop with non JSONP clients. For this to work, you need to specify exactly when this exception happens, and how to deliver the HTTP status code to the client. This sounds like a specification. For example, how is the client going to get the original HTTP status code?

This is not a legal document, and you are free to implemented it differently if you do it in a way that does not harm interop. In this case, you are basically proposing changing a MUST to a SHOULD, which takes away any interop value the requirement has in the first place (ie. being predictable and consistent).

If JSONP is an important use case, and if it should be consistently implemented across services, then it needs to be specified and such a specification can clear override the core specification directive on HTTP status code. I don't know where people got the idea that other specifications cannot modify requirements in the core specification - that's just silly. As long as you spell it out and provide enough detail to maintain interop with the new work, it is perfectly fine. This is not the constitution.

As for the argument that developers are not going to read so many specification, so core should address it - that's also silly. Most developers are never going to read the specification. At best, they will read the vendor API docs.

For the record, I have no objection to the core specification fully addressing the JSONP use case. But I'm opposed to making such an underspecified exception.

EHL



From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Paul Tarjan
Sent: Friday, August 13, 2010 2:31 PM
To: OAuth WG
Subject: [OAUTH-WG] Returning HTTP 200 on Error for JSONP

Hi Fellow OAuthers,

If a resource wants to return data via the JSONP mechanism then it MUST return an HTTP 200 error code, or else the browser won't actually call the callback. The OAuth spec as it stands requires HTTP 400 or 401 or 403 on errors which won't ever tell the client that an error happens.

For example:
GET /me?callback=jsonp_cb HTTP/1.1
Host: graph.facebook.com<http://graph.facebook.com/>

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Content-Length: 152
jsonp_cb({
   "error": "invalid_request",
   "error_description": "An active access token must be used to query information about the current user."
});

would never get sent to the browser if we obeyed the spec and sent it as an HTTP 400.

---
So, I recommend we add wording to 5.2.1 like:

If the protected resource is issuing a response that requires a different HTTP status code than the one specified (for example, JSONP), then it MAY use an alternate HTTP code. The server should make it clear which parameters trigger this mode so that clients know not to rely on the HTTP status code for error detection.


Paul

v2.30.2 | Report a Bug | By Email | System Status