Re: [OAUTH-WG] Fwd: New Version Notification for draft-richer-oauth-introspection-01.txt
George Fletcher <gffletch@aol.com> Fri, 11 January 2013 17:38 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 754A621F87C3 for <oauth@ietfa.amsl.com>; Fri, 11 Jan 2013 09:38:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Level:
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AtiDsjGzVRL3 for <oauth@ietfa.amsl.com>; Fri, 11 Jan 2013 09:38:06 -0800 (PST)
Received: from imr-ma05.mx.aol.com (imr-ma05.mx.aol.com [64.12.100.31]) by ietfa.amsl.com (Postfix) with ESMTP id 67B2521F87B2 for <oauth@ietf.org>; Fri, 11 Jan 2013 09:38:02 -0800 (PST)
Received: from mtaout-ma03.r1000.mx.aol.com (mtaout-ma03.r1000.mx.aol.com [172.29.41.3]) by imr-ma05.mx.aol.com (Outbound Mail Relay) with ESMTP id B1CAB1C00011D; Fri, 11 Jan 2013 12:38:01 -0500 (EST)
Received: from palantir.local (unknown [10.172.6.217]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-ma03.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 557E7E0000C4; Fri, 11 Jan 2013 12:38:01 -0500 (EST)
Message-ID: <50F04DF8.1070407@aol.com>
Date: Fri, 11 Jan 2013 12:38:00 -0500
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
References: <20130108224847.20224.42156.idtracker@ietfa.amsl.com> <50EDC0AE.6050005@mitre.org>
In-Reply-To: <50EDC0AE.6050005@mitre.org>
Content-Type: multipart/alternative; boundary="------------080503070503080602090108"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1357925881; bh=BHPU8KMOblDKFAZYTDOiDEpf9K2BsiqT7ull2JffBSs=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=ANaqcLljtACtPFLZuRKtnR7RIizhK9RzJSkqXGU2ueAZrLfvB03iV9hn1qtjZ4T3/ d6vYSdqkdHpX7Idv1s9wg+73vaJ0uAWeXhkqy8Io5gxXBGotCjM+KYxnohpRb1Dxk8 mB1wOXiHGw5PIeKGMmy2jwuiEWwHbqoMm1SaJUno=
X-AOL-SCOLL-SCORE: 1:2:331456128:93952408
X-AOL-SCOLL-URL_COUNT: 1
x-aol-sid: 3039ac1d290350f04df94c7d
X-AOL-IP: 10.172.6.217
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-richer-oauth-introspection-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2013 17:38:07 -0000
Additional feedback on the introspection endpoint.
What is the expected error response if the introspection endpoint is
using client credentials as recommended in section 2.1
The endpoint SHOULD also require some form of authentication to
access this endpoint, such as the Client Authentication as described
in OAuth 2 Core Specification [RFC6749 <http://tools.ietf.org/html/rfc6749>] or a separate OAuth2 Access
Token.
and the client credentials are invalid. It doesn't seem correct to
return an HTTP 200 with a body of { "valid: false } as the endpoint
probably never even tried to validate the token parameter.
I can see a couple of options...
1. Follow the RFC 6749 /token endpoint and return an HTTP 40X response
with the error described in JSON in the body of the response.
2. Follow RFC 6750 and return a WWW-Authenticate Response header that
contains the error and optionally error_description.
Thanks,
George
- [OAUTH-WG] Fwd: New Version Notification for draf… Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Richer, Justin P.
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher
- Re: [OAUTH-WG] Fwd: New Version Notification for … Sergey Beryozkin
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher
- Re: [OAUTH-WG] Fwd: New Version Notification for … Igor Faynberg
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher
- Re: [OAUTH-WG] Fwd: New Version Notification for … Richer, Justin P.
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher