Re: [OAUTH-WG] Fwd: New Version Notification for draft-richer-oauth-introspection-01.txt
"Richer, Justin P." <jricher@mitre.org> Fri, 11 January 2013 18:04 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B85121F892A for <oauth@ietfa.amsl.com>; Fri, 11 Jan 2013 10:04:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.031
X-Spam-Level:
X-Spam-Status: No, score=-6.031 tagged_above=-999 required=5 tests=[AWL=0.567, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xj1-huSuZu0N for <oauth@ietfa.amsl.com>; Fri, 11 Jan 2013 10:04:25 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id AD27521F8919 for <oauth@ietf.org>; Fri, 11 Jan 2013 10:04:23 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E92C11F361C; Fri, 11 Jan 2013 13:04:22 -0500 (EST)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id CE17A1F2F44; Fri, 11 Jan 2013 13:04:22 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.25]) by IMCCAS04.MITRE.ORG ([129.83.29.81]) with mapi id 14.02.0318.004; Fri, 11 Jan 2013 13:04:22 -0500
From: "Richer, Justin P." <jricher@mitre.org>
To: George Fletcher <gffletch@aol.com>
Thread-Topic: [OAUTH-WG] Fwd: New Version Notification for draft-richer-oauth-introspection-01.txt
Thread-Index: AQHN7fJSaTtsJD7Erk6+DEfqvZzSmJhEaOtPgABbK4A=
Date: Fri, 11 Jan 2013 18:04:21 +0000
Message-ID: <B33BFB58CCC8BE4998958016839DE27E06876939@IMCMBX01.MITRE.ORG>
References: <20130108224847.20224.42156.idtracker@ietfa.amsl.com> <50EDC0AE.6050005@mitre.org> <50F04DF8.1070407@aol.com>
In-Reply-To: <50F04DF8.1070407@aol.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.7.162]
Content-Type: multipart/alternative; boundary="_000_B33BFB58CCC8BE4998958016839DE27E06876939IMCMBX01MITREOR_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-richer-oauth-introspection-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2013 18:04:28 -0000
It should follow the 6749 Token Endpoint error responses for bad client credentials. That's what this text at the end of 2.3 is supposed to mean:
If the client credentials are invalid or there is another error, the
Authorization Server responds with the appropriate error response
from the OAuth2 Core.
Looking at it now, it's completely non-normative and stuffed into the examples section, which is probably not the best way to describe it.
There was some confusion about the {valid: false} response as well, so now I'm thinking that should be pulled into an "Errors" section, perhaps?
-- Justin
On Jan 11, 2013, at 12:38 PM, George Fletcher <gffletch@aol.com<mailto:gffletch@aol.com>>
wrote:
Additional feedback on the introspection endpoint.
What is the expected error response if the introspection endpoint is using client credentials as recommended in section 2.1
The endpoint SHOULD also require some form of authentication to
access this endpoint, such as the Client Authentication as described
in OAuth 2 Core Specification [RFC6749<http://tools.ietf.org/html/rfc6749>] or a separate OAuth2 Access
Token.
and the client credentials are invalid. It doesn't seem correct to return an HTTP 200 with a body of { "valid: false } as the endpoint probably never even tried to validate the token parameter.
I can see a couple of options...
1. Follow the RFC 6749 /token endpoint and return an HTTP 40X response with the error described in JSON in the body of the response.
2. Follow RFC 6750 and return a WWW-Authenticate Response header that contains the error and optionally error_description.
Thanks,
George
- [OAUTH-WG] Fwd: New Version Notification for draf… Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Richer, Justin P.
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher
- Re: [OAUTH-WG] Fwd: New Version Notification for … Sergey Beryozkin
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher
- Re: [OAUTH-WG] Fwd: New Version Notification for … Igor Faynberg
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher
- Re: [OAUTH-WG] Fwd: New Version Notification for … Richer, Justin P.
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher