[OAUTH-WG] Resource Owner Password Credential error response question
George Fletcher <gffletch@aol.com> Tue, 28 January 2014 16:08 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B02471A02F2 for <oauth@ietfa.amsl.com>; Tue, 28 Jan 2014 08:08:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.159
X-Spam-Level: *
X-Spam-Status: No, score=1.159 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.148, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzhAhl8A4fm7 for <oauth@ietfa.amsl.com>; Tue, 28 Jan 2014 08:08:33 -0800 (PST)
Received: from omr-d05.mx.aol.com (omr-d05.mx.aol.com [205.188.109.202]) by ietfa.amsl.com (Postfix) with ESMTP id BB2D71A0440 for <oauth@ietf.org>; Tue, 28 Jan 2014 08:08:32 -0800 (PST)
Received: from mtaout-mab01.mx.aol.com (mtaout-mab01.mx.aol.com [172.26.249.81]) by omr-d05.mx.aol.com (Outbound Mail Relay) with ESMTP id 0EDB070000085 for <oauth@ietf.org>; Tue, 28 Jan 2014 11:08:30 -0500 (EST)
Received: from [10.181.176.102] (unknown [10.181.176.102]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-mab01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id A735138000098 for <oauth@ietf.org>; Tue, 28 Jan 2014 11:08:29 -0500 (EST)
Message-ID: <52E7D5FD.1080700@aol.com>
Date: Tue, 28 Jan 2014 11:08:29 -0500
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="------------050403080602010001030107"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1390925310; bh=ccxCwEgdXr/A1yo4p8ndLO87q0+o5kGHjLHz37GU9wQ=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=YVoblnnLE2ikDXuq15U96MeQ+sQPXQRZFn6IF6ZudpTjmx04ljIanzAVZroPq8KLu 4d+NWdM9aqiHB89P1xy7ZrFsbeYTBNusJYtiCx4x8f9ZacPoTiikbyKO7ZT0Sc5c07 LA5mgmrgFOSFZtoknVyG2C2UKmqrsqec596549sc=
x-aol-sid: 3039ac1af95152e7d5fd71ee
X-AOL-IP: 10.181.176.102
Subject: [OAUTH-WG] Resource Owner Password Credential error response question
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 16:08:34 -0000
I have a situation where some "trusted" clients would like to use the ROPC flow. However, there are a number of external circumstances that can block the request even though the user's credentials are actually valid. Basically, from a back-end perspective we want to force the user through a web flow. I looked through the list of error responses and none seem to fit. 'invalid_grant' is the closest but that wouldn't give the client any indication that the user might be able to successfully complete the authorization flow if the client sends the user through a web flow instead of the ROPC flow. Now I know one answer... which is... to just always use the web flow :) Has any one else run into this? Do I register a new error response via Section 11.4? In looking at the template it doesn't appear possible to add error responses to an existing flow. Does that mean I'd need to create an extension grant that is basically the same as the ROPC but because it's an extension now can have additional error responses? Best practice guidance greatly appreciated! :) Thanks, George -- George Fletcher <http://connect.me/gffletch>
- [OAUTH-WG] Resource Owner Password Credential err… George Fletcher
- Re: [OAUTH-WG] Resource Owner Password Credential… Antonio Sanso