IETF Logo Mail Archive

Re: [OAUTH-WG] Correct error code for rate limiting?

George Fletcher <gffletch@aol.com> Fri, 22 February 2019 14:02 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B68F9128766 for <oauth@ietfa.amsl.com>; Fri, 22 Feb 2019 06:02:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N_3dhgAJXbEU for <oauth@ietfa.amsl.com>; Fri, 22 Feb 2019 06:02:51 -0800 (PST)
Received: from sonic315-13.consmr.mail.bf2.yahoo.com (sonic315-13.consmr.mail.bf2.yahoo.com [74.6.134.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91013129A87 for <oauth@ietf.org>; Fri, 22 Feb 2019 06:02:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1550844169; bh=nnkQ58sbjB0McqOAv49PEmy7E5fhQpaks6OT5jYrwEA=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=fsOqmjkvf7KAv5tQl+2ZhaaQAv6c9kDP5WH2jhWHRL6qjZxTRUGTT0CABe4sE7KFaGXEFRJMxQHgq4otLRBHKr0wabOdDAXQlaheRtwcZ71odJyOOBQq1y+M/l5BfLtT+Yea98jsH/RWDdqug2ablk6QUW6SmH12IOn9BjHfK1Zn3xbvXoVClaOAvNH+wZ60Qt4uXpDr4Tjbn+LNdHbKeGqpKJgvZclXrQRd5MdKLg4eZ2MfVv7NwtT2XwAHKHRAjP0Diug/x0ZyCBj1nk2mGRoZ69PU5QzlVSkHjQ4sirLePxAd5hq4ZrLBrrDm3T2eqZjK8kfH2m/qSPIekvlvlw==
X-YMail-OSG: WJGewiIVM1l6Tm9t9K73ZoT6baJjXrfqR0LEe0gvzq7w74O44gnBZLpXzNIsVQ3 s95vCRUbs5F1qIC4lB8EmBnbGQBsXRlNxkNZmeP0RgMfzJcaMspPTSee43g.4s.PGbf7r48OSuy5 06JzJNp049PYIGYdbeV6OVwR5RoCCH88F96tDy4FmybhJivFkrtc3f9TOgvq.ba1_HGb4RYCBo2Z mggtVEp2lU8g47eEzMtf.Je9IziSdcrQWGN0h.j9yufSo7q31LZzEwUlFpauIh6D2LVnaIv6FzYJ qkfcIVKqU_.mnezTOU2rLcDEwXP2xmT1aWX46pwpcHD5V2B8_phL4z47LvDTq41KfEfb85a3tY.m bsRYY41AOgsQtllAfLeUE5NB.0X15.3xDGISxCSUsRxknRPs.SuEdVeQDOlvynKE5m0YWWQ2b8A2 sHLjbMtgVrl_J9GPr6PXOmOt.BaY6evAmfH6_EQhyp_n1UlxVqCem5KKXut8G7IBQy4aJ9Jj4Fqv 5Xe8nGnKpuwFH3YHmNGyq6cd0Z3YHxFEQmz4tx935EjzITRdrjrs1I__CW4ZGXeW7vAp5AOZdC9N rLsrxAtcEHXvEL7wCYHMhlJz86fxHVZrXNwMbPVIkxqUEZEkWogrZ7sZmVyh4NEEHs_Sx.ncJruc Kq9y6Z4w6WFGNAhgn2ZXPYY8YGez3KntxJ2mRx37kv5s90jb4.yHHH5kZnRE9cYEgzLvd1s9vVd0 dyT8aGz.nvMpuCCAtxnXDA4y7VZDdvAsIz4NCaT39x.ACqic9py7mYxq8HSmKw7J1aN6IRJEywqt zZHWQbuZyzEAvH30lLE2qF_lfM.rp0w9muPjpGZws3dLcrIiQEzWFAqNFSEYl12fLMx81zud6.rX 7oXoQOK.2onFVEGPjBb4KYKsHwDIk5Sb80I_N1djkVhIylx_Sr4brEmXn7wUDv4tjkVEo6fV3nEJ FWNKUqr_mgJWpU8v1dLUdQcq7y4Q3mUsWpqO9Xp.NBz3Ax.cwzn0zEAgDMfYrlZek0aSv6NPrjhz 3w9.t8_VEggVQmPaerqQSNikGGd9ueDEmqFdkOhZzDUBcyB_6kn2tynYKabstboSfTtB00A--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.bf2.yahoo.com with HTTP; Fri, 22 Feb 2019 14:02:49 +0000
Received: from 208.72.78.175 (EHLO [192.168.50.169]) ([208.72.78.175]) by smtp416.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID cf6527408162a17b70d3840d2a68d4aa; Fri, 22 Feb 2019 14:02:49 +0000 (UTC)
To: David Waite <david@alkaline-solutions.com>, Aaron Parecki <aaron@parecki.com>
Cc: OAuth WG <oauth@ietf.org>
References: <CAGBSGjrrVbZhcnA8dNMp7xJnceGj8GzFJ-PeqQ6yFrOpgYjG5Q@mail.gmail.com> <9D2FC54D-176A-465A-8908-6D680763079C@alkaline-solutions.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <3367c77f-e635-3443-1833-b23018e6795e@aol.com>
Date: Fri, 22 Feb 2019 09:02:48 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
MIME-Version: 1.0
In-Reply-To: <9D2FC54D-176A-465A-8908-6D680763079C@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="------------C08123472035EAB02EAB482C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4mtQcmyEZA9ZYQB2gsXzxpZoJvM>
Subject: Re: [OAUTH-WG] Correct error code for rate limiting?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 14:02:54 -0000

+1 for using 429

On 2/22/19 2:09 AM, David Waite wrote:
> I don’t believe that any of the currently registered error codes are 
> appropriate for indicating that the password request is invalid, let 
> alone a more specific behavior like rate limiting.
>
> It is also my opinion that 400 Bad Request shouldn’t be used for known 
> transient errors, but rather for malformed requests - the request 
> could very well be correct (and have the correct password), but it is 
> being rejected due to temporal limits placed on the client or network 
> address/domain.
>
> So I would propose a different statuses such 401 to indicate the 
> username/password were invalid, and either 429 (Too many requests) or 
> 403 (Forbidden) when rate limited or denied due to too many attempts. 
> Thats not to say that the body of the response can’t be an 
> OAuth-format JSON error, possibly with a standardized code - but again 
> I don’t think the currently registered codes would be appropriate for 
> conveying that.
>
> That said, I don’t know what interest there would be in standardizing 
> such codes, considering the existing recommendations against using 
> this grant type.
>
> -DW
>
>> On Feb 21, 2019, at 10:57 PM, Aaron Parecki <aaron@parecki.com 
>> <mailto:aaron@parecki.com>> wrote:
>>
>> The OAuth password grant section mentions taking appropriate measures 
>> to rate limit password requests at the token endpoint. However the 
>> error responses section (
>> https://tools.ietf.org/html/rfc6749#section-5.2) doesn't mention an 
>> error code to use if the request is being rate limited.. What's the 
>> recommended practice here? Thanks!
>>
>> Aaron
>>
>> -- 
>> ----
>> Aaron Parecki
>> aaronparecki.com <http://aaronparecki.com/>
>> @aaronpk <http://twitter.com/aaronpk>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email