IETF Logo Mail Archive

Re: [OAUTH-WG] Request sent to http: instead of https:`

Paul Tarjan <paul.tarjan@facebook.com> Wed, 13 October 2010 20:59 UTC

Return-Path: <paul.tarjan@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 33AA83A69C1 for <oauth@core3.amsl.com>; Wed, 13 Oct 2010 13:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UhpZxoO54BuI for <oauth@core3.amsl.com>; Wed, 13 Oct 2010 13:59:25 -0700 (PDT)
Received: from mx-out.facebook.com (outmail009.snc4.facebook.com [66.220.144.141]) by core3.amsl.com (Postfix) with ESMTP id 2C7F63A696C for <oauth@ietf.org>; Wed, 13 Oct 2010 13:59:25 -0700 (PDT)
Received: from [192.168.18.212] ([192.168.18.212:12967] helo=mail.thefacebook.com) by mta007.snc4.facebook.com (envelope-from <paul.tarjan@facebook.com>) (ecelerity 2.2.2.45 r(34222M)) with ESMTP id BA/67-26490-4FD16BC4; Wed, 13 Oct 2010 14:00:36 -0700
Received: from SC-MBX04.TheFacebook.com ([169.254.3.231]) by sc-hub04.TheFacebook.com ([fe80::8df5:7f90:d4a0:bb9%11]) with mapi; Wed, 13 Oct 2010 14:00:36 -0700
From: Paul Tarjan <paul.tarjan@facebook.com>
To: Marius Scurtescu <mscurtescu@google.com>
Thread-Topic: [OAUTH-WG] Request sent to http: instead of https:`
Thread-Index: AQHLawTe+snTrHx/JUC4TZ4mTPil45M/zqCAgAACl4CAAAFzAA==
Date: Wed, 13 Oct 2010 21:00:34 +0000
Message-ID: <B5861468-C397-44C9-BF09-B0AE65592AF1@facebook.com>
References: <AANLkTikO0oqudUchUnpW0vSsXe0k6QKkJpxjFUU+b413@mail.gmail.com> <2CF95A0F-D113-450D-8E1A-93944F1EAE77@facebook.com> <AANLkTinPPTg0zCzwLB4h=14FcAyKPbY1Mxzhfi+1zPrh@mail.gmail.com>
In-Reply-To: <AANLkTinPPTg0zCzwLB4h=14FcAyKPbY1Mxzhfi+1zPrh@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-ID: <62c3ff39-9ec9-4074-9158-7186886564d4>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Request sent to http: instead of https:`
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 20:59:26 -0000

> 
>> At Facebook we issue an HTTP 400 with "invalid_request" as the error.
>> http://graph.facebook.com/me?access_token=blah&client_id=150629244948164
>> (the client_id is to enable draft-10 error messaging).
> 
> Without client_id you get a different error message (JSON as well, but
> not OAuth2 compliant). Why do you need this parameter to make the
> distinction?

Backwards compatibility. When we shipped, OAuth2 was at draft 00 and there was no standard error mechanism. So we invented one that isn't compatible with the current error codes (our key "error" was an array, and the current one is a "string" so we can't just send both).

When the spec finalizes, we'll do a single migration and change the default to be the final format (and all other non-backwards compatible changes).

Paul

v2.23.0 | Report a Bug | By Email