IETF Logo Mail Archive

Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication

Justin Richer <jricher@mitre.org> Tue, 20 December 2011 14:23 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7464F21F8AF9 for <oauth@ietfa.amsl.com>; Tue, 20 Dec 2011 06:23:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TwmCCt1Wm2V4 for <oauth@ietfa.amsl.com>; Tue, 20 Dec 2011 06:23:18 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id E8B6121F8AF7 for <oauth@ietf.org>; Tue, 20 Dec 2011 06:23:17 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 4BEAE21B0615; Tue, 20 Dec 2011 09:23:17 -0500 (EST)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 3C18F21B05E8; Tue, 20 Dec 2011 09:23:17 -0500 (EST)
Received: from [129.83.50.8] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.1.339.1; Tue, 20 Dec 2011 09:23:16 -0500
Message-ID: <4EF09A35.1000807@mitre.org>
Date: Tue, 20 Dec 2011 09:22:45 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: Alexey Skolyarov <alexey.skolyarov@dins.ru>
References: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru> <CABUp4f6Y=cvgM8T0VjuMo3RBC8Q4ru_QtT8Mg+_njud9kC7OOg@mail.gmail.com> <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru> <4EEF51BE.7080202@mitre.org> <0433F58A304676408A8AF95199AFEB97CC17B7@MS2.corp.dins.ru>
In-Reply-To: <0433F58A304676408A8AF95199AFEB97CC17B7@MS2.corp.dins.ru>
Content-Type: multipart/alternative; boundary="------------040608060000070400020108"
X-Originating-IP: [129.83.31.51]
Cc: "oauth@ietf.org" <oauth@ietf.org>, Buhake Sindi <buhake@googlemail.com>
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2011 14:23:19 -0000

None, it responds with an error (400) and not a redirect (302). You 
don't include the state parameter on an error response, only on a valid 
redirection response.

  -- Justin

On 12/20/2011 01:57 AM, Alexey Skolyarov wrote:
>
> I see that. But how the server should respond on incorrect request 
> (when it’s not possible to determine correct state to be passed).
>
> Specifically, what state should be passed to the client – no one, any 
> or all of them?
>
> -- 
> Best regards, Alexey Skolyarov
> Dino Systems Java Team
> Phone: +7 (812) 740-77-61 ext. 4161Skype: alexey.skolyarov
>
> Cell: +7 (905) 200-29-80 Mailto: alexey.skolyarov@dins.ru 
> <mailto:alexey.skolyarov@dins.ru>
>
> *From:*Justin Richer [mailto:jricher@mitre.org]
> *Sent:* Monday, December 19, 2011 7:01 PM
> *To:* Alexey Skolyarov
> *Cc:* Buhake Sindi; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] conflict: error response invalid_request and 
> state parameter duplication
>
> The spec already says that you can't repeat request parameters on the 
> line like that, so that's an invalid_request error, as described in 
> section 5.2:
>
>
>       5.2.  Error Response
>
>   
>   
>     The authorization server responds with an HTTP 400 (Bad Request)
>     status code and includes the following parameters with the response:
>   
>     error
>           REQUIRED.  A single error code from the following:
>           invalid_request
>                 The request is missing a required parameter, includes an
>                 unsupported parameter value, repeats a parameter,
>                 includes multiple credentials, utilizes more than one
>                 mechanism for authenticating the client, or is otherwise
>                 malformed.
>
>
>
>  -- Justin
>
> On 12/19/2011 08:20 AM, Alexey Skolyarov wrote:
>
> Hello Buhake,
>
> Thanks for your answer!
>
> It seems I should explain a bit here – I’m not about how to pass the 
> state with multiple values, I’m trying to figure out how the 
> OAuth-2.0-draft-22 – compliant server should respond on duplication of 
> state request parameter.
>
> For instance what should be returned in response on following request:
>
> GET 
> /authorize?response_type=code&client_id=s6BhdRkqt3&*state=QWE*&*state=ASD*&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb 
> HTTP/1.1
>
> Host: server.example.com
>
> It’s unclear for me should it be
>
> HTTP/1.1 302 Found
>
> Location: https://client.example.com/cb?error=invalid_request (without 
> the state completely – seems to be wrong beforehand)
>
> or
>
> HTTP/1.1 302 Found
>
> Location: 
> https://client.example.com/cb?error=invalid_request&state=QWE 
> <https://client.example.com/cb?error=invalid_request&state=QWE>( or 
> ASD - one of passed states used)
>
> or
>
> HTTP/1.1 302 Found
>
> Location: 
> https://client.example.com/cb?error=invalid_request&state=QWE%20ASD 
> <https://client.example.com/cb?error=invalid_request&state=QWE%20ASD> 
> (both but violates the idea that state should be kept unchanged).
>
> I hope this example could make my question clearer.
>
> Thanks in advance.
>
> -- 
> Best regards, Alexey Skolyarov
>
>
> *From:*Buhake Sindi [mailto:buhake@googlemail.com]
> *Sent:* Monday, December 19, 2011 4:53 PM
> *To:* Alexey Skolyarov
> *Subject:* Re: [OAUTH-WG] conflict: error response invalid_request and 
> state parameter duplication
>
> Hi Alexey,
>
> If I'm not mistaken, to declare multiple values in "state", the 
> document states that it should be space-delimited (" "). This is 
> unlike Facebook state which is comma-delimited.
>
> On 19 December 2011 14:41, Alexey Skolyarov <alexey.skolyarov@dins.ru 
> <mailto:alexey.skolyarov@dins.ru>> wrote:
>
> Hello everybody,
>
> Since this is my first post on this list, I’ll say few words about whoami:
>
> My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I’m 
> interested in OAuth2 because I found no v2 providers for Jersey 
> <http://jersey.java.net/> except Spring Security which is much more 
> complex than 1.0a implementation in Jersey-contrib. Currently I’m 
> under NDA, so I can’t say more L
>
> Nevertheless we’ve done specification study and found a conflict – in 
> last paragraph of section 3.1. "Authorization Endpoint" 
> <http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.1> it is 
> mentioned that “/Request and response parameters MUST NOT be included 
> more than once/”.
>
> This statement conflicts with /state/ parameter definition in section 
> 4.1.2.1 "Error response" 
> <http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1.2.1>, 
> where it’s said that state is “/REQUIRED if a valid "state" parameter 
> was present in the client  authorization request.  The exact value 
> received from the client/”.
>
> How passing /state=QWE&state=ASD/ inside same request should be 
> handled then?
>
> From one hand it is forbidden to process requests with multiple 
> parameter occurrences.
>
> But from another hand Specification requires to pass the state if it 
> was found in a request.
>
> Violation of any of these statements can be treated as “partial 
> compliance” to draft-22, so I’m in doubt what way is preferred there.
>
> What do you guys think?
>
> Thanks in advance.
>
> -- 
> Best regards, Alexey Skolyarov
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> -- 
> The Elite Gentleman
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org  <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email