IETF Logo Mail Archive

Re: [OAUTH-WG] Correct error code for rate limiting?

George Fletcher <gffletch@aol.com> Fri, 22 February 2019 15:29 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D94271276D0 for <oauth@ietfa.amsl.com>; Fri, 22 Feb 2019 07:29:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CxJ1zZaNyCzN for <oauth@ietfa.amsl.com>; Fri, 22 Feb 2019 07:29:55 -0800 (PST)
Received: from sonic303-3.consmr.mail.bf2.yahoo.com (sonic303-3.consmr.mail.bf2.yahoo.com [74.6.131.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F6CE130E95 for <oauth@ietf.org>; Fri, 22 Feb 2019 07:29:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1550849391; bh=LIPHt4pxq4x233UpDXCysm3ci9f3FL2CNumiBjgqbqM=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=YwClaR1bMwUd3MMd3AkaeooyTkTV0rnqnerE0MBTTUNRE7gs8d8vPX25IOJDiWAjgmH1HmBXQwu4jimXo5Uus3XOoKKw2J3CywdDrFPaWrz/MMKJ+do8Apn9TXOaTruS5kbGBOIyaFfob3lzHxTFVMjgxlaqjIofyuG9hT5d3feLtg9tpzVXvhSyLCdHGzIJVRYfZOV3/fytoVJW+cBzOmw+VjPqFZPkfaBSMdu0VQK9Iq5We4UUmnxC3LNo1ChayDEUGMPTWcycUTeG4V1/vDMipBZHMmqVkSw8HHN22kiIgxajBtJ62Ph1Igp2QhyHk6/8hDoFK6l5/Y38POgO8w==
X-YMail-OSG: ExZscJIVM1k.eGenzxWiaML9mZ8nBUVC6VFZNcRfSzgCN4YIhvbJrfLQnsbA3T2 aIV4X5JoEJBOxYQv_To22lvQ7sdt9_xtlsFBNWk6AXgQjAGV2HCWCctVcWJ3BjAGR6CRem_qGa.1 H_49UNzd8ZiVKzSeOGBeFBtTq_tRRaf7IqyXejjCajEOM8T5v61NKciB7ZJlBiv6l6bb1C5FyZ82 0kIPBn9Vrgo0OrgKa609YD.cGwCF_pyoB30tu.Fw.Yu4ylYEtAu5Z4kFL3xukcOHfq4S54vPzWD2 rQU4HjG7p4BGI_sRJWv9ydcTDNP3XNzdWGl7tOD0k22en0qbOepObyK0QIAzFCC1Hk9cs8xi4qe0 WRw3z3tSbR4gMIvdPI6D74M4gXwtN2z7cS9Won3VBkNxDLCmnZffFdtIjh78MvT8jy4P8IBxtPs4 q6_udx7RwvqlICMPXAmak3j7FQE0VUu29BhgSw96sLS3cvmz0zGUCRg4_Ft0jct2CaKl5IE9DORV MRXZvna.RyhVnUDn2PrOEX0jqLAdyDI8J83fDvCy2RTL64cBwahHKVDnAF3n0PRuOj54CDfLZ79T iEUdSc7Ia..a16JBMFXiq_RX0bcWaDBgm_DXKoZ7vve6QQSoUumzCeO5pfTvkscmRyBvDFtKcCg9 Uv9A2bg2IbhNgxJ434Aly.log7pG_NhVLmDBNoeGL.5Izw6T1h8cfHYFwsqL32Kgm66J1VcKJEnL 0IO_Kr5F44qwl1uQyE54zf5z1x8ZwEu1XHlL7iB_ZU5GsieW.M3yrwXO2J9mUZeixdBXgL22vKjt O1P1HV3DcDkQOgfrqoS7mmDbpnM97VIbiELYwsLgDWt3yRl.P5myS2d564FALvWGNWdDnXQEz8YO mC1K5b.El9pN8W1E90g2lMI0GiEQO..JYsMqmOYyk3a.PU3Vhs72C4zo48qAF712vTFbMR5r9quv mC5k94VqpZqLvMR31Men3cK8zbTmagexlp_6qNDa8eKl.kP4e_ZrLRBWAQKr1eG4w0TlE8RS1s6p C630_dJld44uQISyqK5pG90ziL7EixttacpuB149ILyXJgaW6.UhxdvTgqvb.oENRYHl.vWY-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.bf2.yahoo.com with HTTP; Fri, 22 Feb 2019 15:29:51 +0000
Received: from nat-vpn-users1.cfw-a-gci.net.buffalo.office.oath (EHLO [172.135.141.144]) ([184.165.8.96]) by smtp416.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 80ac816fc015f527b3a33a66092ea95e; Fri, 22 Feb 2019 15:29:48 +0000 (UTC)
To: Aaron Parecki <aaron@parecki.com>
Cc: David Waite <david@alkaline-solutions.com>, OAuth WG <oauth@ietf.org>
References: <CAGBSGjrrVbZhcnA8dNMp7xJnceGj8GzFJ-PeqQ6yFrOpgYjG5Q@mail.gmail.com> <9D2FC54D-176A-465A-8908-6D680763079C@alkaline-solutions.com> <3367c77f-e635-3443-1833-b23018e6795e@aol.com> <CAGBSGjqLf4cMhJ8=EVTy1i7DX7MO92ioW5vR75sfFSEKRKjSuA@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <ac792233-6a3f-17f8-07d8-be89ecd01bc4@aol.com>
Date: Fri, 22 Feb 2019 10:29:47 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
MIME-Version: 1.0
In-Reply-To: <CAGBSGjqLf4cMhJ8=EVTy1i7DX7MO92ioW5vR75sfFSEKRKjSuA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------C2AC670F448DCF3903DFBFA4"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GN7BNv9e4NE8PHGmJjCyVKqEUkE>
Subject: Re: [OAUTH-WG] Correct error code for rate limiting?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 15:30:02 -0000

I believe Torsten proposed an "authentication_failed" error response in 
a different context. Possibly we could use that?

Alternatively, OpenID Connect defines a 'login_required' error that 
could work in this context as well. It doesn't fit the semantic as 
defined in the OIDC spec, but as an error would work.

If we need to use an existing OAuth2 error code, then I'd recommend 
'invalid_request' in that the request is invalid because there are too 
many of them which is indicated by the 429 HTTP error code.

On 2/22/19 9:53 AM, Aaron Parecki wrote:
> HTTP 429 sounds fine for the HTTP response code, but what about the 
> OAuth error code string? "invalid_grant" seems closest but doesn't 
> sound right because if the app tries the same request again later it 
> would be valid.
>
>
>
> On Fri, Feb 22, 2019 at 6:02 AM George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>> wrote:
>
>     +1 for using 429
>
>
>     On 2/22/19 2:09 AM, David Waite wrote:
>>     I don’t believe that any of the currently registered error codes
>>     are appropriate for indicating that the password request is
>>     invalid, let alone a more specific behavior like rate limiting.
>>
>>     It is also my opinion that 400 Bad Request shouldn’t be used for
>>     known transient errors, but rather for malformed requests - the
>>     request could very well be correct (and have the correct
>>     password), but it is being rejected due to temporal limits placed
>>     on the client or network address/domain.
>>
>>     So I would propose a different statuses such 401 to indicate the
>>     username/password were invalid, and either 429 (Too many
>>     requests) or 403 (Forbidden) when rate limited or denied due to
>>     too many attempts. Thats not to say that the body of the response
>>     can’t be an OAuth-format JSON error, possibly with a standardized
>>     code - but again I don’t think the currently registered codes
>>     would be appropriate for conveying that.
>>
>>     That said, I don’t know what interest there would be in
>>     standardizing such codes, considering the existing
>>     recommendations against using this grant type.
>>
>>     -DW
>>
>>>     On Feb 21, 2019, at 10:57 PM, Aaron Parecki <aaron@parecki.com
>>>     <mailto:aaron@parecki.com>> wrote:
>>>
>>>     The OAuth password grant section mentions taking appropriate
>>>     measures to rate limit password requests at the token endpoint.
>>>     However the error responses section (
>>>     https://tools.ietf.org/html/rfc6749#section-5.2) doesn't mention
>>>     an error code to use if the request is being rate limited..
>>>     What's the recommended practice here? Thanks!
>>>
>>>     Aaron
>>>
>>>     -- 
>>>     ----
>>>     Aaron Parecki
>>>     aaronparecki.com <http://aaronparecki.com/>
>>>     @aaronpk <http://twitter.com/aaronpk>
>>>
>>>     _______________________________________________
>>>     OAuth mailing list
>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>
> -- 
> ----
> Aaron Parecki
> aaronparecki.com <http://aaronparecki.com>
> @aaronpk <http://twitter.com/aaronpk>
>

v2.23.0 | Report a Bug | By Email