IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: New Version Notification for draft-richer-oauth-introspection-01.txt

George Fletcher <gffletch@aol.com> Fri, 11 January 2013 19:57 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE30F21F8632 for <oauth@ietfa.amsl.com>; Fri, 11 Jan 2013 11:57:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.048
X-Spam-Level:
X-Spam-Status: No, score=-2.048 tagged_above=-999 required=5 tests=[AWL=0.550, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rNkNbYtD407t for <oauth@ietfa.amsl.com>; Fri, 11 Jan 2013 11:57:55 -0800 (PST)
Received: from imr-db02.mx.aol.com (imr-db02.mx.aol.com [205.188.91.96]) by ietfa.amsl.com (Postfix) with ESMTP id C9E2121F8610 for <oauth@ietf.org>; Fri, 11 Jan 2013 11:57:54 -0800 (PST)
Received: from mtaout-mb02.r1000.mx.aol.com (mtaout-mb02.r1000.mx.aol.com [172.29.41.66]) by imr-db02.mx.aol.com (Outbound Mail Relay) with ESMTP id 4C3081C000194; Fri, 11 Jan 2013 14:57:54 -0500 (EST)
Received: from palantir.local (unknown [10.172.6.217]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-mb02.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id B2802E0000FD; Fri, 11 Jan 2013 14:57:53 -0500 (EST)
Message-ID: <50F06EC1.4060203@aol.com>
Date: Fri, 11 Jan 2013 14:57:53 -0500
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: "Richer, Justin P." <jricher@mitre.org>
References: <20130108224847.20224.42156.idtracker@ietfa.amsl.com> <50EDC0AE.6050005@mitre.org> <50F04DF8.1070407@aol.com> <B33BFB58CCC8BE4998958016839DE27E06876939@IMCMBX01.MITRE.ORG>
In-Reply-To: <B33BFB58CCC8BE4998958016839DE27E06876939@IMCMBX01.MITRE.ORG>
Content-Type: multipart/alternative; boundary="------------010305030304070705000506"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1357934274; bh=B3ubhuLpxYlSd7dVBVP9ljSobHgE54tABkBfU/7fV14=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=Nw6mhvnMkRH8S1SrcgHFMDbc+a2qop3nqoNhCDZ9V6P0wS0LNU1ok5T7EX3QLMhkS 96Vyy5S8AtemzZUAOUpj+6GfqOJBK3nQXtU+etx9PPJgVcSRKP88tdcPIF2CFBU11P i6NGefuLemY37RVAi/grdvlbzxmGtlJUOUi12ZGA=
X-AOL-SCOLL-SCORE: 1:2:407192448:93952408
X-AOL-SCOLL-URL_COUNT: 1
x-aol-sid: 3039ac1d294250f06ec177ef
X-AOL-IP: 10.172.6.217
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-richer-oauth-introspection-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2013 19:57:56 -0000

I definitely like the idea of an Errors section that normatively defines 
error responses.

Thanks,
George

On 1/11/13 1:04 PM, Richer, Justin P. wrote:
> It should follow the 6749 Token Endpoint error responses for bad 
> client credentials. That's what this text at the end of 2.3 is 
> supposed to mean:
>
>     If the client credentials are invalid or there is another error, the
>     Authorization Server responds with the appropriate error response
>     from the OAuth2 Core.
> Looking at it now, it's completely non-normative and stuffed into the 
> examples section, which is probably not the best way to describe it.
>
> There was some confusion about the {valid: false} response as well, so 
> now I'm thinking that should be pulled into an "Errors" section, perhaps?
>
>  -- Justin
>
> On Jan 11, 2013, at 12:38 PM, George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>>
>  wrote:
>
>> Additional feedback on the introspection endpoint.
>>
>> What is the expected error response if the introspection endpoint is 
>> using client credentials as recommended in section 2.1
>> The endpoint SHOULD also require some form of authentication to
>>     access this endpoint, such as the Client Authentication as described
>>     in OAuth 2 Core Specification [RFC6749  <http://tools.ietf.org/html/rfc6749>] or a separate OAuth2 Access
>>     Token.
>> and the client credentials are invalid. It doesn't seem correct to 
>> return an HTTP 200 with a body of { "valid: false } as the endpoint 
>> probably never even tried to validate the token parameter.
>>
>> I can see a couple of options...
>>
>> 1. Follow the RFC 6749 /token endpoint and return an HTTP 40X 
>> response with the error described in JSON in the body of the response.
>>
>> 2. Follow RFC 6750 and return a WWW-Authenticate Response header that 
>> contains the error and optionally error_description.
>>
>> Thanks,
>> George
>>
>

v2.23.0 | Report a Bug | By Email