Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
Alexey Skolyarov <alexey.skolyarov@dins.ru> Tue, 20 December 2011 06:57 UTC
Return-Path: <alexey.skolyarov@dins.ru>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9820821F84D4 for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 22:57:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.478
X-Spam-Level:
X-Spam-Status: No, score=-0.478 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4IdjIqGM4rHh for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 22:57:10 -0800 (PST)
Received: from smtp01.dins.ru (smtp01.dins.ru [193.104.181.104]) by ietfa.amsl.com (Postfix) with ESMTP id B80FE21F84D2 for <oauth@ietf.org>; Mon, 19 Dec 2011 22:57:09 -0800 (PST)
Received: from mail01.dins.ru (ru-led-qatas01ac.dins.ru [192.168.12.108]) by smtp01.dins.ru (Postfix) with ESMTP id E2477DB49D9; Tue, 20 Dec 2011 09:57:05 +0300 (MSK)
Received: from MS2.corp.dins.ru ([fe80::f022:21e1:10a0:b75e]) by HUB1.corp.dins.ru ([fe80::58ae:e620:6b29:a68b%11]) with mapi id 14.01.0355.002; Tue, 20 Dec 2011 10:57:08 +0400
From: Alexey Skolyarov <alexey.skolyarov@dins.ru>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
Thread-Index: Acy+S4VYvA+l6ZnUQliB5+O9EKnZ7f//wDsA//+4skCAAGsZAP/+tVRw
Date: Tue, 20 Dec 2011 06:57:07 +0000
Message-ID: <0433F58A304676408A8AF95199AFEB97CC17B7@MS2.corp.dins.ru>
References: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru> <CABUp4f6Y=cvgM8T0VjuMo3RBC8Q4ru_QtT8Mg+_njud9kC7OOg@mail.gmail.com> <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru> <4EEF51BE.7080202@mitre.org>
In-Reply-To: <4EEF51BE.7080202@mitre.org>
Accept-Language: ru-RU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.14.189]
Content-Type: multipart/alternative; boundary="_000_0433F58A304676408A8AF95199AFEB97CC17B7MS2corpdinsru_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>, Buhake Sindi <buhake@googlemail.com>
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2011 06:57:11 -0000
I see that. But how the server should respond on incorrect request (when it’s not possible to determine correct state to be passed). Specifically, what state should be passed to the client – no one, any or all of them? -- Best regards, Alexey Skolyarov Dino Systems Java Team Phone: +7 (812) 740-77-61 ext. 4161 Skype: alexey.skolyarov Cell: +7 (905) 200-29-80 Mailto: alexey.skolyarov@dins.ru<mailto:alexey.skolyarov@dins.ru> From: Justin Richer [mailto:jricher@mitre.org] Sent: Monday, December 19, 2011 7:01 PM To: Alexey Skolyarov Cc: Buhake Sindi; oauth@ietf.org Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication The spec already says that you can't repeat request parameters on the line like that, so that's an invalid_request error, as described in section 5.2: 5.2. Error Response The authorization server responds with an HTTP 400 (Bad Request) status code and includes the following parameters with the response: error REQUIRED. A single error code from the following: invalid_request The request is missing a required parameter, includes an unsupported parameter value, repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed. -- Justin On 12/19/2011 08:20 AM, Alexey Skolyarov wrote: Hello Buhake, Thanks for your answer! It seems I should explain a bit here – I’m not about how to pass the state with multiple values, I’m trying to figure out how the OAuth-2.0-draft-22 – compliant server should respond on duplication of state request parameter. For instance what should be returned in response on following request: GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=QWE&state=ASD&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com It’s unclear for me should it be HTTP/1.1 302 Found Location: https://client.example.com/cb?error=invalid_request (without the state completely – seems to be wrong beforehand) or HTTP/1.1 302 Found Location: https://client.example.com/cb?error=invalid_request&state=QWE ( or ASD - one of passed states used) or HTTP/1.1 302 Found Location: https://client.example.com/cb?error=invalid_request&state=QWE%20ASD (both but violates the idea that state should be kept unchanged). I hope this example could make my question clearer. Thanks in advance. -- Best regards, Alexey Skolyarov From: Buhake Sindi [mailto:buhake@googlemail.com] Sent: Monday, December 19, 2011 4:53 PM To: Alexey Skolyarov Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication Hi Alexey, If I'm not mistaken, to declare multiple values in "state", the document states that it should be space-delimited (" "). This is unlike Facebook state which is comma-delimited. On 19 December 2011 14:41, Alexey Skolyarov <alexey.skolyarov@dins.ru<mailto:alexey.skolyarov@dins.ru>> wrote: Hello everybody, Since this is my first post on this list, I’ll say few words about whoami: My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I’m interested in OAuth2 because I found no v2 providers for Jersey<http://jersey.java.net/> except Spring Security which is much more complex than 1.0a implementation in Jersey-contrib. Currently I’m under NDA, so I can’t say more ☹ Nevertheless we’ve done specification study and found a conflict – in last paragraph of section 3.1. "Authorization Endpoint"<http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.1> it is mentioned that “Request and response parameters MUST NOT be included more than once”. This statement conflicts with state parameter definition in section 4.1.2.1 "Error response"<http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1.2.1>, where it’s said that state is “REQUIRED if a valid "state" parameter was present in the client authorization request. The exact value received from the client”. How passing state=QWE&state=ASD inside same request should be handled then? From one hand it is forbidden to process requests with multiple parameter occurrences. But from another hand Specification requires to pass the state if it was found in a request. Violation of any of these statements can be treated as “partial compliance” to draft-22, so I’m in doubt what way is preferred there. What do you guys think? Thanks in advance. -- Best regards, Alexey Skolyarov _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- The Elite Gentleman _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] conflict: error response invalid_reque… Alexey Skolyarov
- Re: [OAUTH-WG] conflict: error response invalid_r… Alexey Skolyarov
- Re: [OAUTH-WG] conflict: error response invalid_r… Justin Richer
- Re: [OAUTH-WG] conflict: error response invalid_r… Alexey Skolyarov
- Re: [OAUTH-WG] conflict: error response invalid_r… Justin Richer
- Re: [OAUTH-WG] conflict: error response invalid_r… Alexey Skolyarov