Re: [OAUTH-WG] Adding machine readable errors to SPOP?

Bill Mills <> Thu, 13 November 2014 00:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 772591A0235 for <>; Wed, 12 Nov 2014 16:34:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.493
X-Spam-Status: No, score=-1.493 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hnW1vZzg-8h3 for <>; Wed, 12 Nov 2014 16:34:28 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 50CA91A01A9 for <>; Wed, 12 Nov 2014 16:34:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1415838867; bh=/e6QfOOx1xaC6qk2Mf5Bwa28hQNZOXZrpiOQrIBz4rg=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=WzlnmYtjSL9i277y18YIc+xLOYFtISPOnbd9PlAN3mzk6B8YYkG6nZO+gltV/Ru01CbXjFF/Z9AbYAHTZHsZP33OqIxon54lapxuK8eVf3zsmGxNmng8bLsitauQPcSgn1v3GKVN1VniVT4LFKK8R8+PSrDzU/kXl+eeyBjOR5K0U4IbLl5ZCvLM+vRPOcM1LtIyY1htwxO7uzGG1cuMDYDrLK+P1zj8oFsLykbI7i/wuLoPTsTO88EyfbxY2Jm4jZZSUZ42q8mPlXISv2+WpUwP0ArzvGR0AogsZEWVGvP+eTJMyVzC5f0lgwXT94TqLUA8Vq12T4y8lz9AcIdn/g==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048;; b=dFLgCzEsm9mIBzFACgiQTrwgnAbIifwsIK2i/wdjFhLMyn2IY+CcJyr9pAwFnU18wSl9+pBrwNCshyorjaBK3lbuccPhexZeXWL1iCSxXW7rJ8b+0vuSvhREKE+EsLm+qzVayu52eWY5flAULQfXZQgNptvLe2kjNcPqrOt7vt3BvbnKPiQSIXqEaLia1IObmrI+gqDd1OShY6wM6OBSldQk+dRPwonQAUHSrLqXqiWKoVqprww89V/HMlxIrwlg/T12NUkhax2z4gCwBkl27EnfDJxIBR1Xdjhe7+SMONiXjOWWa86T3pGfPxi1PCgwUhRup+JSJoYY2V2tX2bz8g==;
Received: from [] by with NNFMP; 13 Nov 2014 00:34:27 -0000
Received: from [] by with NNFMP; 13 Nov 2014 00:34:27 -0000
Received: from [] by with NNFMP; 13 Nov 2014 00:34:27 -0000
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: pg1N_8sVM1nQ0I2OACnepzudcouxbvl9nu477HGEAD5_If8Uf1rqTHYq3iVRDhh 8JVRLVWQ.8oFMcE0e0Vmiy7gdfwwWINs_5xdlmSNV_yhwTAZUV4wgltL9ek7AffJMJdiUHTRraeZ HmiKq9ChHYsc2TKMKumejj5D8wPWaNfMMXj9c.IfdMGsbkJCF5K9rOzYHCukA0PiLgmVk6lj_ZHJ GDBuvOqQzwRGOYl97g4gN.1Z61eaJ0ZD17GqupwzjiTvFStZHYqlHM6cTj6lsjZLAi4.4_e.1ANJ _jmh46hFWjFvujz46gbVsdmJtMYiOHwLLdzkTrmF8l0MWP.VQkgzgGhzUR4Q9YTXuwQaJ_IZ29qp yXrU6wmrJ0izkWJTl7shmc_EDeDOTrLpVDD.C.y0ppmJk_mKRlH33zFdJ3QEdSjnzliwE7hsdGoL iMFGoRS2hbntD0HadtwrimLyp14c1WtEAPEdEo7eBIODBn4.6mr6Ho5sPQ4tGWrJgFeN6XGpI
Received: by; Thu, 13 Nov 2014 00:32:47 +0000
Date: Thu, 13 Nov 2014 00:32:46 +0000
From: Bill Mills <>
To: Nat Sakimura <>, Mike Jones <>, oauth <>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_213674_1629254752.1415838766697"
Subject: Re: [OAUTH-WG] Adding machine readable errors to SPOP?
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Nov 2014 00:34:30 -0000

Let's not enumerate all possible failure paths as error messages.  Simply putting "unsupported_hash" is best.  The client then needs a way to discover allowed hashes.  You could register something like "supported_hashes" to allow that to be returned.
We really need to figure out if discovery will simply leverage OpenID deiscovery (which seems workable) or if we define something completely else. 

     On Wednesday, November 12, 2014 2:48 PM, Nat Sakimura <> wrote:

 I've thought about that, and I thought we could just add the error message when we add new alg. 
e.g., when we add SHA-3-256, we can add SHA-3-256_unsupported. 
On Thu Nov 13 2014 at 5:56:38 Mike Jones <> wrote:

Is S256_unsupported or algorithm_unsupported the better error description?  I’m asking because I also expect that at some point in the approval process for this document you’ll be asked to support algorithm agility (for instance, being able to use SHA-3-256).                                                             -- Mike From: OAuth []On Behalf Of Nat Sakimura
Sent: Wednesday, November 12, 2014 10:49 AM
To: oauth
Subject: [OAUTH-WG] Adding machine readable errors to SPOP? As discussed at F2F today at IETF 91 OAuth WG, there has been some request to have a more fine grained machine readable error messages.  Currently, it only returns the error defined in RFC6749 and any more details is supposed to be returned in error_descripton and error_uri.  So, I came up with the following proposal. If WG agrees, I would put text embodying it into the draft-04. Otherwise, I would like to go as is. You have to speak out to put it in. (I am sending out -03, which we meant to send before submit freeze, without it..)  nError response to authorization requestlReturnsinvalid_request with additional error paramspop_errorwith the following values:▪S256_unsupported▪none_unsupported▪invalid_code_challengeClients MUST NOT accept the downgraderequest through this as it may be a downgradeattack by a MITM.nError response to token requestlReturnsinvalid_request with additional error paramspop_errorwith the following values:▪invalid _code_verifier▪verifier_challenge_mismatchnAuthorization server should return more descriptive information on lerror_descriptionlerror_uri   

OAuth mailing list