IETF Logo Mail Archive

Re: [OAUTH-WG] PAR error for redirect URI?

Neil Madden <neil.madden@forgerock.com> Fri, 04 December 2020 08:13 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8F993A15AB for <oauth@ietfa.amsl.com>; Fri, 4 Dec 2020 00:13:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAUqNhJ311xm for <oauth@ietfa.amsl.com>; Fri, 4 Dec 2020 00:13:48 -0800 (PST)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD9F43A15A8 for <oauth@ietf.org>; Fri, 4 Dec 2020 00:13:47 -0800 (PST)
Received: by mail-ej1-x62d.google.com with SMTP id x16so7393147ejj.7 for <oauth@ietf.org>; Fri, 04 Dec 2020 00:13:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:date:message-id:references:cc:in-reply-to :to:content-transfer-encoding; bh=mEWLEL+/BwyAgRxzAInVy1GKdzISJDSjakaCoaeDeG4=; b=NhjSX8O+qh5HqZSpY5CGAVLsfwPMB5FnXOqCdqj7LsVQl9gBVyUdl7Ut0IP+SooY/J ClOMYnBDSrfwmMzu9mcH3oro/Y0AO7l5wSikAbRp+s1xTzoHw0MelWE0cYwBTVpjOhf5 S5BbwtbJCwypFUqGQeowhVuyzc5diazpF/PTA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to:content-transfer-encoding; bh=mEWLEL+/BwyAgRxzAInVy1GKdzISJDSjakaCoaeDeG4=; b=tc2hM09Ig7oa5ugPqh4zza3iRcvBp12F2bvVv35MGWNhhljTMrIpUAaSoV4aXSRSEF GFUtSxppaeIXUC3QIfMuWtGqjcxWjzjnzS5M69SeWnuDctUsF+uJW4O4yURi3tbpDug2 TQDqJx5ydhsb3UDbbGfQieGLBobDqOMegMuSmzKXSOa3+L8J79GGjwBIqIA39ao3tod+ pFmc2xJmLk9wXN0yQm3pbINLE3JjigZb7S/cJamwMNTncEU/r/ortQQLGTE9TkocBSKx tYKsbPoDrDq6JPD32y7WsXIDeriyS2BTGoc9vu1odFVYIgxIf1jMYCNFjefSACkCkByz MOBg==
X-Gm-Message-State: AOAM533DPECtdJBsfksxtFeOU+98IHiKQFu6CibTdsTf6b9tFcPRwIZv 1XRaKpruxFDsEzKbW5WWUhV6NjjZ2e/HCSynBAljXuujcq4OlChUqxzeNZ3pDA9mgbAi+7FsYX0 dzs8o6vdnRBp9PXdCmPpS+APAwftPTBAkfDn/oDpeAbKmbduoBx6xjA4oF+o6z/O1xg==
X-Google-Smtp-Source: ABdhPJxyP5v8yJALYfZGl+pTKDPkQL2Bv9Hlc1vO5Isypi34U8z0Ef31OYKPs6RlNvs3KUMtKwKN7w==
X-Received: by 2002:a17:907:20cc:: with SMTP id qq12mr6355860ejb.316.1607069625612; Fri, 04 Dec 2020 00:13:45 -0800 (PST)
Received: from [10.0.0.17] ([213.31.218.193]) by smtp.gmail.com with ESMTPSA id d9sm2827252edk.86.2020.12.04.00.13.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 04 Dec 2020 00:13:45 -0800 (PST)
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 04 Dec 2020 08:13:44 +0000
Message-Id: <23A0EC1E-B161-4CDC-B3F5-1EA670458785@forgerock.com>
References: <CA+k3eCQitAWnHaw2zz0jwyjHxWPYe0VPct1Op1T13BVhydkXDQ@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
In-Reply-To: <CA+k3eCQitAWnHaw2zz0jwyjHxWPYe0VPct1Op1T13BVhydkXDQ@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (18B92)
Content-Type: multipart/alternative; boundary="Apple-Mail-7FAB66F1-8E6D-4CF1-BA92-E11274F03126"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4VZze7VDTfCDm_FmK22gtP1EvWw>
Subject: Re: [OAUTH-WG] PAR error for redirect URI?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 08:13:51 -0000

Making it a specific error code rather than just an error message suggests that the client can do something with that information. That doesn’t seem likely to me. It’s most likely caused by a misconfiguration that somebody needs to manually sort out rather than something that can be automatically corrected, so I don’t see a reason for this to get its own error code. 

— Neil

> On 2 Dec 2020, at 23:28, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> 
> 
> During the course of a recent OIDF FAPI WG discussion (the FAPI profiles use PAR for authz requests) on this issue it was noted that there's no specific error code for problems with the redirect_uri (the example in https://www.ietf.org/archive/id/draft-ietf-oauth-par-04.html#section-2.3 even shows a general error code with mention of the redirect_uri not being valid in the error description). Some folks on that call thought it would be worthwhile to have a more specific error code for an invalid redirect_uri and I reluctantly took an action item to raise the issue here. At the time I'd forgotten that PAR had already passed WGLC. But it's been sitting idle while awaiting the shepherd writeup since mid September so it's maybe realistic to think the window for a small change is still open.
> 
> Presumably nothing like an "invalid_redirect_uri" error code was defined in RFC 6749 because that class of errors could not be returned to the client via redirection. But the data flow in PAR would allow for a "invalid_redirect_uri" so it's not an unreasonable thing to do. 
> 
> As I write this message, however, I'm not personally convinced that it's worth making a change to PAR at this point. But I did say I'd bring the question up in the WG list and I'm just trying to be true to my word. So here it is. Please weigh in, if you have opinions on the matter. 
> 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>

v2.23.0 | Report a Bug | By Email