[OAUTH-WG] Missing response_type with implicit and code flows on the same path

Sergey Beryozkin <sberyozkin@gmail.com> Tue, 09 February 2016 14:39 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69D0B1A90A2 for <oauth@ietfa.amsl.com>; Tue, 9 Feb 2016 06:39:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XI0SIlpZ-yND for <oauth@ietfa.amsl.com>; Tue, 9 Feb 2016 06:39:31 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E98941A90A1 for <oauth@ietf.org>; Tue, 9 Feb 2016 06:39:30 -0800 (PST)
Received: by mail-wm0-x232.google.com with SMTP id 128so199222141wmz.1 for <oauth@ietf.org>; Tue, 09 Feb 2016 06:39:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:references:to:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=bB5dUXIZKvif5BhMxumBEZHMevOAcjvFMgo6lLXu5tw=; b=xS6GDyhw6hRvhgHj9y8PJFdXZL+PoqXBkomzTII5cQLKKIQsngP9sDU5iRJmr+eXb0 7puQ5oCOaQoNYSQ/6Z+hwj07IEs5hKORHykiIWwj6AnqglqND3aAG1nwXmqXmT87RaOU 6VGi+cTc//rrXslsBtIBHgZlOLsvqoaYiWw2c0zJBcUsf8GFMxJxiPr4xqrPg8P37rT9 30UF83cq8sIJ49Mdw8UYKI8ig35KverLmC7G4UMJ6wlN09064XNO0lFSTgZksWmq0NQk HMby2lLyUhqGY/OHAyheutozRYtcEknlLhIB4bozjOu2oMXdJgjkMdxwz8yAPzF6fB/V mDlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=bB5dUXIZKvif5BhMxumBEZHMevOAcjvFMgo6lLXu5tw=; b=KXyLF5CIs/RqCvULTj8TkLHcs7XhOqbEqP5D8fCHcOd1W42IKy6qJDgDlKLH1hQnGV macwoZWMyZ0hPu1TlgvKdyGg4d++odbUeLE081BU00ddNTNpn3bySaeCl9VllSrE/NGs sI+pEb63Ntscc0lK4zXv3xWlcsNC3QmREjiVrM0cdQ1uFEzBVANAvNjTB3mLMKHRZoNe XfYqFK6dnBik1MDEu4SpUjbICTrefWxnKnoAq6plxnbGPmthhQbG+RWilUO51E8OAga0 /3A56PiFk/3gEpEZjGoizYPxhSQ2ABIGDcGZloXcQLZ6Z12lOFou2HvigfyxZ6iy/94Q fy4w==
X-Gm-Message-State: AG10YOSlBrsc78rxOrsrZ0RspJdRT7EFdE+Rct3VPqu8vtK/pWEeKLOARq8q1dlBN2w4bg==
X-Received: by 10.28.73.136 with SMTP id w130mr5576099wma.36.1455028769511; Tue, 09 Feb 2016 06:39:29 -0800 (PST)
Received: from [10.36.226.98] ([80.169.137.63]) by smtp.googlemail.com with ESMTPSA id i2sm34966171wjx.42.2016.02.09.06.39.28 for <oauth@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Tue, 09 Feb 2016 06:39:28 -0800 (PST)
References: <56B3A400.2080606@gmx.net> <62D1E1DB-17A4-4ABD-81F3-8659F40D7E88@mit.edu> <CAOahYUxSMopc0hoXG8ocMk+p1b__NqapuztuHiWchpYRQqvP2w@mail.gmail.com> <9DC45CB4-07D8-4F17-8311-02AD60521379@ve7jtb.com> <CAAP42hBnZMV51vcL2GQD6kbCS7aDC0pz0KP-nMsoT0j+EgkiGg@mail.gmail.com>
To: oauth@ietf.org
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <56B9FA20.60509@gmail.com>
Date: Tue, 9 Feb 2016 14:39:28 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAAP42hBnZMV51vcL2GQD6kbCS7aDC0pz0KP-nMsoT0j+EgkiGg@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/NHqfw5VC8orjVDqb7XswK4ByC9M>
Subject: [OAUTH-WG] Missing response_type with implicit and code flows on the same path
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2016 14:39:32 -0000

Hi

OAuth2 spec recommends how to deal with a missing response_type, set an 
error as a query or fragment parameter, depending on whether it is the 
authorization code or implicit flow and redirect.

This implies that authorization code and implicit handlers listen on 
different paths, for example,

code: /code
implicit: /implicit

so if a response type is missing the handler will know how to set the 
error on the redirect uri, as a query or a fragment.....

However, I'd like to have a single handler, example (from the OIDC core):

"https://server.example.com/authorize"

which will support both the code and implicit flows.

Here, 'response_type' is an obvious hint on what kind of flow is in 
process, however, if it is missing, how will a server know how to report 
a missing response_type error if it uses a shared "/authorize" path.

I think in such cases reporting 400 is reasonable. Do you agree ?

Thanks, Sergey