IETF Logo Mail Archive

Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"

Eran Hammer <eran@hueniverse.com> Thu, 08 March 2012 05:29 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD21521E8048 for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 21:29:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.536
X-Spam-Level:
X-Spam-Status: No, score=-2.536 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vatX7nTBQmtl for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 21:29:15 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 75A3121E8029 for <oauth@ietf.org>; Wed, 7 Mar 2012 21:29:15 -0800 (PST)
Received: (qmail 31710 invoked from network); 8 Mar 2012 05:29:09 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 8 Mar 2012 05:29:09 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Wed, 7 Mar 2012 22:28:06 -0700
From: Eran Hammer <eran@hueniverse.com>
To: "matake@gmail" <matake@gmail.com>, Buhake Sindi <buhake@googlemail.com>
Date: Wed, 07 Mar 2012 22:27:57 -0700
Thread-Topic: [OAUTH-WG] Quick question about error response for "response_type=unknown"
Thread-Index: Aczwk5xj4w9FLHhvT2aZ4XFi7k1SUQMV5tYQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453AFCD409A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <58932B8B-2DDE-41D6-A91B-5036CC762C00@matake.jp> <1329757027.28055.YahooMailNeo@web31808.mail.mud.yahoo.com> <4F4284DD.3030006@alcatel-lucent.com> <1329798149.78115.YahooMailNeo@web31804.mail.mud.yahoo.com> <56F7111A-B65E-459A-BB8A-ED87CDF1EB4A@gmail.com> <CABUp4f5iFgotOM1BE8StwbXY6+494Q+DEsi5vTOWpBYzFJyg-w@mail.gmail.com> <CABUp4f5AB5QHfRUn=FsAn-tinS6+M-aQ6ezx2oQw9n3VthPkOw@mail.gmail.com> <8799A0DF-4BB9-4122-8CC0-D2A33C507A51@gmail.com>
In-Reply-To: <8799A0DF-4BB9-4122-8CC0-D2A33C507A51@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723453AFCD409AP3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2012 05:29:19 -0000

Section 3.1.1 states:

   If an authorization request is missing the "response_type" parameter,
   the authorization server MUST return an error response as described
   in Section 4.1.2.1.

The intention was to make this the catch-all scenario. While I do appreciate the issue here of the client using a response type that may require special encoding of the error information in the response, it is pretty easy to also support the authorization code response type error transport when using a response type other than code and token.

I have made the following change to clarify this:

   If an authorization request is missing the "response_type" parameter,
   [[or if the response type is not understood, ]]
   the authorization server MUST return an error response as described
   in Section 4.1.2.1.

"Not understood" means the server does not know anything about it. It should know about code and token, even if one or both are not supported and provide the required error response. This really is only about unknown extensions. Then according to section 4.1.2.1, the error code should be 'unsupported_response_type'.

I have tried to make the change as small as possible, but if my explanation isn't clear from the new text, please let me know and we'll get it clarified.

EH


From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of matake@gmail
Sent: Tuesday, February 21, 2012 4:23 AM
To: Buhake Sindi
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"

When server cannot understand the response_type, it can't know where the error response should be included.

ex.)
A JS client used response_type=code%20id_token and expected all returned parameters would be included in fragment.
However server couldn't understand the response_type and returned error messages in query.
Then client won't be able to handle the error.

Actually, clients expects returned parameters in query only when it uses response_type=code, at least in current proposed response_types.
(I'm thinking "current proposed response_types" as "code", "token", "code token", "token id_token", "code id_token" and "code token id_token")


On 2012/02/21, at 20:42, Buhake Sindi wrote:


Oops. Sorry, I believe I should have said, case 2.

And why is case 2 impossible? The only time case 1 is valid in the redirect_uri is invalid.

Buhake Sindi
On 21 February 2012 13:40, Buhake Sindi <buhake@googlemail.com<mailto:buhake@googlemail.com>> wrote:
Hi guys,

OAuth 2, Draft 23, Paragraph 4.1.2.1 clearly states:
If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client
identifier is missing or invalid, the authorization server SHOULD inform the resource owner of
the error, and MUST NOT automatically redirect the user-agent to the invalid redirection URI.

So, Case 1 is the only accepted case here.

Buhake Sindi


On 21 February 2012 13:34, matake@gmail <matake@gmail.com<mailto:matake@gmail.com>> wrote:
So the answer is "Show the error to the user without redirecting back to the client", right?
I'm now developing OAuth2 and OpenID Connect ruby library, and both of them return errors

case 1. redirect with error in query if response_type is "code" but it's not supported
case 2. redirect with error in fragment if response_type is "token code", "token id_token", "token code id_token" or "code id_token" but it's not supported
case 3. otherwise show error to the user without redirect since server cannot understand the response_type at all

But other server might not understand some of response_types listed in case 2 at all and choose case 3 in such case.
(ie. OAuth servers which don't understand OpenID Connect won't understand "id_token")

So I'm afraid that it reduces interoperability, a bit.

On 2012/02/21, at 13:22, William Mills wrote:


I does allow some parts of your server config to be discovered.  More of a problem in error responses is usually echoing back the user data, or allowing user enumeration for example.  Care is required, but you don't have a ton of options here.

________________________________
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com<mailto:igor.faynberg@alcatel-lucent.com>>
To: oauth@ietf.org<mailto:oauth@ietf.org>
Sent: Monday, February 20, 2012 9:37 AM
Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"

Could there be a potential security hole in providing an error response?  (Not that I see it, but many problems in the past had been caused by helpful responese.)

Igor

On 2/20/2012 11:57 AM, William Mills wrote:
Respond with an error in protocol.  Thta won't include a redirect, and the client has to know what to do.

________________________________
From: nov matake <nov@matake.jp><mailto:nov@matake.jp>
To: oauth WG <oauth@ietf.org><mailto:oauth@ietf.org>
Sent: Monday, February 20, 2012 6:11 AM
Subject: [OAUTH-WG] Quick question about error response for "response_type=unknown"

Hi OAuthers,

My apologies if you already discussed this.

When OAuth server received unknown response_type, how should the server handle the error?

1. Show the error to the user without redirecting back to the client
2. Redirect back to the client including the error in query
3. Redirect back to the client including the error in fragment

Since choosing 2 or 3 is impossible in this case, 1 seems reasonable for me.


--
nov
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth





--
The Elite Gentleman

v2.23.0 | Report a Bug | By Email