Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication

Alexey Skolyarov <> Tue, 20 December 2011 06:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9820821F84D4 for <>; Mon, 19 Dec 2011 22:57:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.478
X-Spam-Status: No, score=-0.478 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4IdjIqGM4rHh for <>; Mon, 19 Dec 2011 22:57:10 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B80FE21F84D2 for <>; Mon, 19 Dec 2011 22:57:09 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E2477DB49D9; Tue, 20 Dec 2011 09:57:05 +0300 (MSK)
Received: from ([fe80::f022:21e1:10a0:b75e]) by ([fe80::58ae:e620:6b29:a68b%11]) with mapi id 14.01.0355.002; Tue, 20 Dec 2011 10:57:08 +0400
From: Alexey Skolyarov <>
To: Justin Richer <>
Thread-Topic: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
Thread-Index: Acy+S4VYvA+l6ZnUQliB5+O9EKnZ7f//wDsA//+4skCAAGsZAP/+tVRw
Date: Tue, 20 Dec 2011 06:57:07 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: ru-RU, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_0433F58A304676408A8AF95199AFEB97CC17B7MS2corpdinsru_"
MIME-Version: 1.0
Cc: "" <>, Buhake Sindi <>
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Dec 2011 06:57:11 -0000

I see that. But how the server should respond on incorrect request (when it’s not possible to determine correct state to be passed).
Specifically, what state should be passed to the client – no one, any or all of them?

Best regards, Alexey Skolyarov
Dino Systems Java Team
Phone: +7 (812) 740-77-61 ext. 4161    Skype: alexey.skolyarov
Cell: +7 (905) 200-29-80                             Mailto:<>

From: Justin Richer []
Sent: Monday, December 19, 2011 7:01 PM
To: Alexey Skolyarov
Cc: Buhake Sindi;
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication

The spec already says that you can't repeat request parameters on the line like that, so that's an invalid_request error, as described in section 5.2:
5.2.  Error Response

   The authorization server responds with an HTTP 400 (Bad Request)

   status code and includes the following parameters with the response:


         REQUIRED.  A single error code from the following:


               The request is missing a required parameter, includes an

               unsupported parameter value, repeats a parameter,

               includes multiple credentials, utilizes more than one

               mechanism for authenticating the client, or is otherwise


 -- Justin

On 12/19/2011 08:20 AM, Alexey Skolyarov wrote:
Hello Buhake,

Thanks for your answer!
It seems I should explain a bit here – I’m not about how to pass the state with multiple values, I’m trying to figure out how the OAuth-2.0-draft-22 – compliant server should respond on duplication of state request parameter.

For instance what should be returned in response on following request:
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=QWE&state=ASD&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1

It’s unclear for me should it be
HTTP/1.1 302 Found
Location: (without the state completely – seems to be wrong beforehand)
HTTP/1.1 302 Found
Location: ( or ASD - one of passed states used)
HTTP/1.1 302 Found
Location: (both but violates the idea that state should be kept unchanged).

I hope this example could make my question clearer.

Thanks in advance.
Best regards, Alexey Skolyarov

From: Buhake Sindi []
Sent: Monday, December 19, 2011 4:53 PM
To: Alexey Skolyarov
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication

Hi Alexey,

If I'm not mistaken, to declare multiple values in "state", the document states that it should be space-delimited (" "). This is unlike Facebook state which is comma-delimited.
On 19 December 2011 14:41, Alexey Skolyarov <<>> wrote:
Hello everybody,

Since this is my first post on this list, I’ll say few words about whoami:
My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I’m interested in OAuth2 because I found no v2 providers for Jersey<> except Spring Security which is much more complex than 1.0a implementation in Jersey-contrib. Currently I’m under NDA, so I can’t say more ☹

Nevertheless we’ve done specification study and found a conflict – in last paragraph of section 3.1. "Authorization Endpoint"<> it is mentioned that “Request and response parameters MUST NOT be included more than once”.
This statement conflicts with state parameter definition in section "Error response"<>, where it’s said that state is “REQUIRED if a valid "state" parameter was present in the client  authorization request.  The exact value received from the client”.

How passing state=QWE&state=ASD inside same request should be handled then?

From one hand it is forbidden to process requests with multiple parameter occurrences.
But from another hand Specification requires to pass the state if it was found in a request.
Violation of any of these statements can be treated as “partial compliance” to draft-22, so I’m in doubt what way is preferred there.

What do you guys think?

Thanks in advance.
Best regards, Alexey Skolyarov

OAuth mailing list<>

The Elite Gentleman


OAuth mailing list<>