Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
Justin Richer <jricher@mitre.org> Tue, 20 December 2011 14:23 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7464F21F8AF9 for <oauth@ietfa.amsl.com>; Tue, 20 Dec 2011 06:23:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TwmCCt1Wm2V4 for <oauth@ietfa.amsl.com>; Tue, 20 Dec 2011 06:23:18 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id E8B6121F8AF7 for <oauth@ietf.org>; Tue, 20 Dec 2011 06:23:17 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 4BEAE21B0615; Tue, 20 Dec 2011 09:23:17 -0500 (EST)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 3C18F21B05E8; Tue, 20 Dec 2011 09:23:17 -0500 (EST)
Received: from [129.83.50.8] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.1.339.1; Tue, 20 Dec 2011 09:23:16 -0500
Message-ID: <4EF09A35.1000807@mitre.org>
Date: Tue, 20 Dec 2011 09:22:45 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: Alexey Skolyarov <alexey.skolyarov@dins.ru>
References: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru> <CABUp4f6Y=cvgM8T0VjuMo3RBC8Q4ru_QtT8Mg+_njud9kC7OOg@mail.gmail.com> <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru> <4EEF51BE.7080202@mitre.org> <0433F58A304676408A8AF95199AFEB97CC17B7@MS2.corp.dins.ru>
In-Reply-To: <0433F58A304676408A8AF95199AFEB97CC17B7@MS2.corp.dins.ru>
Content-Type: multipart/alternative; boundary="------------040608060000070400020108"
X-Originating-IP: [129.83.31.51]
Cc: "oauth@ietf.org" <oauth@ietf.org>, Buhake Sindi <buhake@googlemail.com>
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2011 14:23:19 -0000
None, it responds with an error (400) and not a redirect (302). You don't include the state parameter on an error response, only on a valid redirection response. -- Justin On 12/20/2011 01:57 AM, Alexey Skolyarov wrote: > > I see that. But how the server should respond on incorrect request > (when it’s not possible to determine correct state to be passed). > > Specifically, what state should be passed to the client – no one, any > or all of them? > > -- > Best regards, Alexey Skolyarov > Dino Systems Java Team > Phone: +7 (812) 740-77-61 ext. 4161Skype: alexey.skolyarov > > Cell: +7 (905) 200-29-80 Mailto: alexey.skolyarov@dins.ru > <mailto:alexey.skolyarov@dins.ru> > > *From:*Justin Richer [mailto:jricher@mitre.org] > *Sent:* Monday, December 19, 2011 7:01 PM > *To:* Alexey Skolyarov > *Cc:* Buhake Sindi; oauth@ietf.org > *Subject:* Re: [OAUTH-WG] conflict: error response invalid_request and > state parameter duplication > > The spec already says that you can't repeat request parameters on the > line like that, so that's an invalid_request error, as described in > section 5.2: > > > 5.2. Error Response > > > > The authorization server responds with an HTTP 400 (Bad Request) > status code and includes the following parameters with the response: > > error > REQUIRED. A single error code from the following: > invalid_request > The request is missing a required parameter, includes an > unsupported parameter value, repeats a parameter, > includes multiple credentials, utilizes more than one > mechanism for authenticating the client, or is otherwise > malformed. > > > > -- Justin > > On 12/19/2011 08:20 AM, Alexey Skolyarov wrote: > > Hello Buhake, > > Thanks for your answer! > > It seems I should explain a bit here – I’m not about how to pass the > state with multiple values, I’m trying to figure out how the > OAuth-2.0-draft-22 – compliant server should respond on duplication of > state request parameter. > > For instance what should be returned in response on following request: > > GET > /authorize?response_type=code&client_id=s6BhdRkqt3&*state=QWE*&*state=ASD*&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb > HTTP/1.1 > > Host: server.example.com > > It’s unclear for me should it be > > HTTP/1.1 302 Found > > Location: https://client.example.com/cb?error=invalid_request (without > the state completely – seems to be wrong beforehand) > > or > > HTTP/1.1 302 Found > > Location: > https://client.example.com/cb?error=invalid_request&state=QWE > <https://client.example.com/cb?error=invalid_request&state=QWE>( or > ASD - one of passed states used) > > or > > HTTP/1.1 302 Found > > Location: > https://client.example.com/cb?error=invalid_request&state=QWE%20ASD > <https://client.example.com/cb?error=invalid_request&state=QWE%20ASD> > (both but violates the idea that state should be kept unchanged). > > I hope this example could make my question clearer. > > Thanks in advance. > > -- > Best regards, Alexey Skolyarov > > > *From:*Buhake Sindi [mailto:buhake@googlemail.com] > *Sent:* Monday, December 19, 2011 4:53 PM > *To:* Alexey Skolyarov > *Subject:* Re: [OAUTH-WG] conflict: error response invalid_request and > state parameter duplication > > Hi Alexey, > > If I'm not mistaken, to declare multiple values in "state", the > document states that it should be space-delimited (" "). This is > unlike Facebook state which is comma-delimited. > > On 19 December 2011 14:41, Alexey Skolyarov <alexey.skolyarov@dins.ru > <mailto:alexey.skolyarov@dins.ru>> wrote: > > Hello everybody, > > Since this is my first post on this list, I’ll say few words about whoami: > > My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I’m > interested in OAuth2 because I found no v2 providers for Jersey > <http://jersey.java.net/> except Spring Security which is much more > complex than 1.0a implementation in Jersey-contrib. Currently I’m > under NDA, so I can’t say more L > > Nevertheless we’ve done specification study and found a conflict – in > last paragraph of section 3.1. "Authorization Endpoint" > <http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.1> it is > mentioned that “/Request and response parameters MUST NOT be included > more than once/”. > > This statement conflicts with /state/ parameter definition in section > 4.1.2.1 "Error response" > <http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1.2.1>, > where it’s said that state is “/REQUIRED if a valid "state" parameter > was present in the client authorization request. The exact value > received from the client/”. > > How passing /state=QWE&state=ASD/ inside same request should be > handled then? > > From one hand it is forbidden to process requests with multiple > parameter occurrences. > > But from another hand Specification requires to pass the state if it > was found in a request. > > Violation of any of these statements can be treated as “partial > compliance” to draft-22, so I’m in doubt what way is preferred there. > > What do you guys think? > > Thanks in advance. > > -- > Best regards, Alexey Skolyarov > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > The Elite Gentleman > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] conflict: error response invalid_reque… Alexey Skolyarov
- Re: [OAUTH-WG] conflict: error response invalid_r… Alexey Skolyarov
- Re: [OAUTH-WG] conflict: error response invalid_r… Justin Richer
- Re: [OAUTH-WG] conflict: error response invalid_r… Alexey Skolyarov
- Re: [OAUTH-WG] conflict: error response invalid_r… Justin Richer
- Re: [OAUTH-WG] conflict: error response invalid_r… Alexey Skolyarov