IETF Logo Mail Archive

Re: [OAUTH-WG] PAR error for redirect URI?

Dave Tonge <dave.tonge@momentumft.co.uk> Mon, 14 December 2020 13:48 UTC

Return-Path: <dave.tonge@moneyhub.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CCA43A0AD3 for <oauth@ietfa.amsl.com>; Mon, 14 Dec 2020 05:48:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.162
X-Spam-Level:
X-Spam-Status: No, score=0.162 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JsOCoE9UskSN for <oauth@ietfa.amsl.com>; Mon, 14 Dec 2020 05:47:58 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FBB43A0AC8 for <oauth@ietf.org>; Mon, 14 Dec 2020 05:47:58 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id o13so7005643lfr.3 for <oauth@ietf.org>; Mon, 14 Dec 2020 05:47:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F9uMLVobB6FoGXi+DGTF1DYFd2YB64Bj3b6TeN6gUaA=; b=UEjF/GMV0mrvUhQTGgFxQqEU1Resc0pgKHMCuiyurZOAAyzbgZ/HZVrHxO78elOHOD Y3667IbzEdD4vYYBjzp3ATl/95yxXRP/k6is7TcbsDd/EjWLOMAAuVCRC1ZLAUgCRl2x 7EQlyO162IolQoyug+a+2U6Z6/MC5w5kelYlk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F9uMLVobB6FoGXi+DGTF1DYFd2YB64Bj3b6TeN6gUaA=; b=ih0u1llKr9mG/Tgw0i7VxkqVYwx5IzOL+bnxg74DKf9dIHojXnL3KtZlu0MAgVfYDz uzeupQW6rMQFl2eTinMw9H/Ya6YEfVp/NQFiVxOARCmrquJJhQdlKpR3kI5gGhrpRZM/ /mtnvwNjL28/i8Qmp9nv2EyQMWa2Tiso3aUCx6ASUEOq8Kqf05xCtzsxBDPSXd/kUiAq ZGCM/meB1FxVtU0f0IIUSsBC+t5uAJIeyV3C2y3guRjg5dKuv1rsvBaPLwiQ/YmR9B9a ppI90ECa7w0AqJzDj72NnQVDJYBu7hb6aQoOQh29vjHsMPM4WnwRXn8OrTrrSHMO8lT4 6LZw==
X-Gm-Message-State: AOAM533MUvhv4TQ126qcJhhymJc3LX4U8Hd0jH255oNPDLZ5E0Opo8AH LGqklpzdY5+pj0+MFw40NpoWRgRsifYVzdkSswb+/0A9M2mHQGYFWBBVTpJ6nDmokrI7Lah6ww1 fC0JsFbJkVacLVg==
X-Google-Smtp-Source: ABdhPJwPgxlb4ct/LwUXgewwo0zAcvE/r+NzRl+K/05QyER1w0nUoPQGok7n9CsPdPcICKtMh3lDTWG1El2+7DI5Oxw=
X-Received: by 2002:a19:4a52:: with SMTP id x79mr4818498lfa.481.1607953676004; Mon, 14 Dec 2020 05:47:56 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCQitAWnHaw2zz0jwyjHxWPYe0VPct1Op1T13BVhydkXDQ@mail.gmail.com> <CALAqi__ncGQgbunhunmaCrtUsAe-v+HnLWZM2Ca5VWarUr2Y=w@mail.gmail.com> <CDA006E7-8D4F-49AF-9C68-3BCEEFCFA687@lodderstedt.net> <CALAqi_9ewvmUUJNzXMU2JUU9eSVwwjGQMe7mCva=WFrA1JME9g@mail.gmail.com> <CADNypP9VniF0SBDSo+ZvwX7kYcmn_H6Vv2LvRZiwZwADG1Foxw@mail.gmail.com> <9a58bd66-e259-ebb9-1ed5-3f5075f44d97@connect2id.com> <CA+k3eCRuqLnZ8X_U4mi0AsL7jTLN2KGDJyHttXt8YfxG47a=HA@mail.gmail.com> <8bf0dae0-54b8-3b33-87b2-634b40ac4a85@connect2id.com> <CA+k3eCSwuELPpspNsUA1FTD1cU1ePJcKWd1Z9WU8tHL38LEQBg@mail.gmail.com>
In-Reply-To: <CA+k3eCSwuELPpspNsUA1FTD1cU1ePJcKWd1Z9WU8tHL38LEQBg@mail.gmail.com>
From: Dave Tonge <dave.tonge@momentumft.co.uk>
Date: Mon, 14 Dec 2020 14:47:44 +0100
Message-ID: <CAP-T6TRm9=Qis0t0GfMqdySiLsyx4XLA1bOHBWDSNkzo0FuZmQ@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ac88b105b66ce351"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1s0YpZo-jklBbNJeCXukgKWNYzo>
Subject: Re: [OAUTH-WG] PAR error for redirect URI?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 13:48:02 -0000

I agree with the proposed text

On Mon, 14 Dec 2020 at 14:46, Brian Campbell <bcampbell=
40pingidentity.com@dmarc.ietf.org> wrote:

> Thanks Vladimir, that seems quite reasonable. Barring any objections, I'll
> add that to a -04.
>
> On Mon, Dec 14, 2020 at 1:33 AM Vladimir Dzhuvinov <
> vladimir@connect2id.com> wrote:
>
>> Hi Brian,
>>
>> I'd like to propose the sentence in bold to be inserted into the current
>> section 2.3 of PAR -04:
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-par-04#section-2.3
>>
>> The authorization server returns an error response with the same format
>> as is specified for error responses from the token endpoint in Section 5.2
>> of [RFC6749] using the appropriate error code from therein or from Section 4.1.2.1
>> of [RFC6749]. *In those cases where Section 4.1.2.1 of [RFC6749]
>> prohibits automatic redirection with an error back to the requesting client
>> and hence doesn’t define an error code, for example when the request fails
>> due to a missing, invalid, or mismatching redirection URI, the
>> “invalid_request” error code can be used as the default error code.*
>>
>> Hope with this we can close the case.
>>
>> Vladimir
>>
>> On 04/12/2020 18:08, Brian Campbell wrote:
>>
>>
>>
>> On Fri, Dec 4, 2020 at 12:30 AM Vladimir Dzhuvinov <
>> vladimir@connect2id.com> wrote:
>>
>>> If people have articulated a need to have an invalid_redirect_uri error
>>> for the PAR endpoint, then let's register it properly. Rifaat says there's
>>> still time to do this.
>>>
>>
>> Following from the response I recently sent to Neil, I don't think a
>> legitimate need has been articulated.
>> https://mailarchive.ietf.org/arch/msg/oauth/gMiH1mTr0AKDvWpqO1zikcVUySY/
>>
>>
>>> I'm also okay with using the general invalid_request code for this. In
>>> this case a sentence, next to the current example, spelling out what the
>>> PAR endpoint must do on a invalid redirect URI will help.
>>>
>> I don't know that that's needed either. But do have some text to suggest
>> that you think would be helpful?
>>
>>
>>
>>> Vladimir
>>> On 03/12/2020 13:49, Rifaat Shekh-Yusef wrote:
>>>
>>> Torsten, Filip,
>>>
>>> You can absolutely make this change, as we are still very early in the
>>> process.
>>> So feel free to continue this effort and try to get WG agreement on
>>> this, and update the document as needed.
>>>
>>> Regards,
>>>  Rifaat
>>>
>>>
>>> On Thursday, December 3, 2020, Filip Skokan <panva.ip@gmail.com> wrote:
>>>
>>>> To be clear, I'm not advocating to skip the registration, just wanted
>>>> to mention a potential concern. If the process allows it and it will not
>>>> introduce more delay to publication, I think we should go ahead and
>>>> register the error code.
>>>>
>>>> Best,
>>>> *Filip*
>>>>
>>>>
>>>> On Thu, 3 Dec 2020 at 11:06, Torsten Lodderstedt <
>>>> torsten@lodderstedt.net> wrote:
>>>>
>>>>>
>>>>>
>>>>> > Am 03.12.2020 um 09:56 schrieb Filip Skokan <panva.ip@gmail.com>:
>>>>> >
>>>>> > There are several documents already mentioning
>>>>> "invalid_redirect_uri" as an error code, specifically RFC7519 and OpenID
>>>>> Connect Dynamic Client Registration 1.0. But these don't register it in the
>>>>> IANA OAuth Extensions Error Registry, presumably because they're neither
>>>>> for the authorization or token endpoints.
>>>>> >
>>>>> > While I think it'd be great if we had this error code registered, I
>>>>> also worry that its registration could confuse implementers to think it's
>>>>> okay to return it from the authorization endpoint.
>>>>>
>>>>> I understand your concern. On the other hand, registering the error
>>>>> code is in my opinion the proper way forward. The registration is scoped to
>>>>> a usage location, should be pushed authorization endpoint then, and RFC6749
>>>>> gives clear guidance on how to treat errors related to the redirect URI at
>>>>> the authorization endpoint.
>>>>>
>>>>> "If the request fails due to a missing, invalid, or mismatching
>>>>>    redirection URI, … authorization server ... MUST NOT automatically
>>>>> redirect the user-agent to the
>>>>>    invalid redirection URI."
>>>>>
>>>>> I think if an implementor ignores this, it will ignore any advise.
>>>>>
>>>>> best regards,
>>>>> Torsten.
>>>>>
>>>>> >
>>>>> > Best,
>>>>> > Filip
>>>>> >
>>>>> >
>>>>> > On Thu, 3 Dec 2020 at 00:29, Brian Campbell <bcampbell=
>>>>> 40pingidentity.com@dmarc.ietf.org> wrote:
>>>>> > During the course of a recent OIDF FAPI WG discussion (the FAPI
>>>>> profiles use PAR for authz requests) on this issue it was noted that
>>>>> there's no specific error code for problems with the redirect_uri (the
>>>>> example in
>>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-par-04.html#section-2.3
>>>>> even shows a general error code with mention of the redirect_uri not being
>>>>> valid in the error description). Some folks on that call thought it would
>>>>> be worthwhile to have a more specific error code for an invalid
>>>>> redirect_uri and I reluctantly took an action item to raise the issue here.
>>>>> At the time I'd forgotten that PAR had already passed WGLC. But it's been
>>>>> sitting idle while awaiting the shepherd writeup since mid September so
>>>>> it's maybe realistic to think the window for a small change is still open.
>>>>> >
>>>>> > Presumably nothing like an "invalid_redirect_uri" error code was
>>>>> defined in RFC 6749 because that class of errors could not be returned to
>>>>> the client via redirection. But the data flow in PAR would allow for a
>>>>> "invalid_redirect_uri" so it's not an unreasonable thing to do.
>>>>> >
>>>>> > As I write this message, however, I'm not personally convinced that
>>>>> it's worth making a change to PAR at this point. But I did say I'd bring
>>>>> the question up in the WG list and I'm just trying to be true to my word.
>>>>> So here it is. Please weigh in, if you have opinions on the matter.
>>>>> >
>>>>> >
>>>>> >
>>>>> > CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>> If you have received this communication in error, please notify the sender
>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>> your computer. Thank you._______________________________________________
>>>>> > OAuth mailing list
>>>>> > OAuth@ietf.org
>>>>> > https://www.ietf.org/mailman/listinfo/oauth
>>>>> > _______________________________________________
>>>>> > OAuth mailing list
>>>>> > OAuth@ietf.org
>>>>> >
>>>>> https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth&source=gmail-imap&ust=1607590629000000&usg=AOvVaw3aW1gdv4EEiLmNYzlsJj-A
>>>>>
>>>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>>
>> --
>> Vladimir Dzhuvinov
>>
>>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Moneyhub Financial Technology is entered on the
Financial Services Register (FRN 809360) at fca.org.uk/register.
Moneyhub Financial
Technology is registered in England & Wales, company registration number
06909772 .
Moneyhub Financial Technology Limited 2018 ©

DISCLAIMER: This email (including any attachments) is subject to copyright,
and the information in it is confidential. Use of this email or of any
information in it other than by the addressee is unauthorised and unlawful.
Whilst reasonable efforts are made to ensure that any attachments are
virus-free, it is the recipient's sole responsibility to scan all
attachments for viruses. All calls and emails to and from this company may
be monitored and recorded for legitimate purposes relating to this
company's business. Any opinions expressed in this email (or in any
attachments) are those of the author and do not necessarily represent the
opinions of Moneyhub Financial Technology Limited or of any other group
company.

-- 


Moneyhub Enterprise is a trading style of Moneyhub Financial Technology 
Limited which is authorised and regulated by the Financial Conduct 
Authority ("FCA"). Moneyhub Financial Technology is entered on the 
Financial Services Register (FRN 809360) at https://register.fca.org.uk/ 
<https://register.fca.org.uk/>. Moneyhub Financial Technology is registered 
in England & Wales, company registration number 06909772. Moneyhub 
Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, 
Temple Quay, 1 Friary, Bristol, BS1 6EA. 

DISCLAIMER: This email 
(including any attachments) is subject to copyright, and the information in 
it is confidential. Use of this email or of any information in it other 
than by the addressee is unauthorised and unlawful. Whilst reasonable 
efforts are made to ensure that any attachments are virus-free, it is the 
recipient's sole responsibility to scan all attachments for viruses. All 
calls and emails to and from this company may be monitored and recorded for 
legitimate purposes relating to this company's business. Any opinions 
expressed in this email (or in any attachments) are those of the author and 
do not necessarily represent the opinions of Moneyhub Financial Technology 
Limited or of any other group company.

v2.23.0 | Report a Bug | By Email