Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
"matake@gmail" <matake@gmail.com> Tue, 21 February 2012 12:23 UTC
Return-Path: <matake@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 398E021F8724 for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 04:23:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.714
X-Spam-Level:
X-Spam-Status: No, score=-2.714 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WxMLFyC+Ti6Y for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 04:23:19 -0800 (PST)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2752D21F87B0 for <oauth@ietf.org>; Tue, 21 Feb 2012 04:23:19 -0800 (PST)
Received: by pbcwz7 with SMTP id wz7so7644280pbc.31 for <oauth@ietf.org>; Tue, 21 Feb 2012 04:23:19 -0800 (PST)
Received-SPF: pass (google.com: domain of matake@gmail.com designates 10.68.73.103 as permitted sender) client-ip=10.68.73.103;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of matake@gmail.com designates 10.68.73.103 as permitted sender) smtp.mail=matake@gmail.com; dkim=pass header.i=matake@gmail.com
Received: from mr.google.com ([10.68.73.103]) by 10.68.73.103 with SMTP id k7mr73917169pbv.132.1329826999040 (num_hops = 1); Tue, 21 Feb 2012 04:23:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=NU0cJtIzbJ8c7gzQIlIB1PekJg2S20LMjU+3x2LI1eE=; b=VQwTuanNOgIftEua957QJsmLHxmA7H6eRhD7iVlCEp9twmMLllS0nBl27gBp5Z/AmU kl4pEUIiDCb3wMqklkwadj1/gwSbKHI/TIuPEBocP0Y22X6ghnwDpMCTM/cW60UeG2WW P6LkZZLsGCVjpGvCWYDTa2RcMoiuZkCeVAU38=
Received: by 10.68.73.103 with SMTP id k7mr60943058pbv.132.1329826998899; Tue, 21 Feb 2012 04:23:18 -0800 (PST)
Received: from [192.168.1.103] (q032020.dynamic.ppp.asahi-net.or.jp. [203.181.32.20]) by mx.google.com with ESMTPS id p8sm15950856pbs.51.2012.02.21.04.23.17 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 21 Feb 2012 04:23:18 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/alternative; boundary="Apple-Mail=_E6348B93-3DFD-472E-9039-48AFA74CD113"
From: "matake@gmail" <matake@gmail.com>
In-Reply-To: <CABUp4f5AB5QHfRUn=FsAn-tinS6+M-aQ6ezx2oQw9n3VthPkOw@mail.gmail.com>
Date: Tue, 21 Feb 2012 21:23:15 +0900
Message-Id: <8799A0DF-4BB9-4122-8CC0-D2A33C507A51@gmail.com>
References: <58932B8B-2DDE-41D6-A91B-5036CC762C00@matake.jp> <1329757027.28055.YahooMailNeo@web31808.mail.mud.yahoo.com> <4F4284DD.3030006@alcatel-lucent.com> <1329798149.78115.YahooMailNeo@web31804.mail.mud.yahoo.com> <56F7111A-B65E-459A-BB8A-ED87CDF1EB4A@gmail.com> <CABUp4f5iFgotOM1BE8StwbXY6+494Q+DEsi5vTOWpBYzFJyg-w@mail.gmail.com> <CABUp4f5AB5QHfRUn=FsAn-tinS6+M-aQ6ezx2oQw9n3VthPkOw@mail.gmail.com>
To: Buhake Sindi <buhake@googlemail.com>
X-Mailer: Apple Mail (2.1257)
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2012 12:23:23 -0000
When server cannot understand the response_type, it can't know where the error response should be included. ex.) A JS client used response_type=code%20id_token and expected all returned parameters would be included in fragment. However server couldn't understand the response_type and returned error messages in query. Then client won't be able to handle the error. Actually, clients expects returned parameters in query only when it uses response_type=code, at least in current proposed response_types. (I'm thinking "current proposed response_types" as "code", "token", "code token", "token id_token", "code id_token" and "code token id_token") On 2012/02/21, at 20:42, Buhake Sindi wrote: > Oops. Sorry, I believe I should have said, case 2. > > And why is case 2 impossible? The only time case 1 is valid in the redirect_uri is invalid. > > Buhake Sindi > > On 21 February 2012 13:40, Buhake Sindi <buhake@googlemail.com> wrote: > Hi guys, > > OAuth 2, Draft 23, Paragraph 4.1.2.1 clearly states: > > If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client > identifier is missing or invalid, the authorization server SHOULD inform the resource owner of > the error, and MUST NOT automatically redirect the user-agent to the invalid redirection URI. > > So, Case 1 is the only accepted case here. > > Buhake Sindi > > > On 21 February 2012 13:34, matake@gmail <matake@gmail.com> wrote: > So the answer is "Show the error to the user without redirecting back to the client", right? > I'm now developing OAuth2 and OpenID Connect ruby library, and both of them return errors > > case 1. redirect with error in query if response_type is "code" but it's not supported > case 2. redirect with error in fragment if response_type is "token code", "token id_token", "token code id_token" or "code id_token" but it's not supported > case 3. otherwise show error to the user without redirect since server cannot understand the response_type at all > > But other server might not understand some of response_types listed in case 2 at all and choose case 3 in such case. > (ie. OAuth servers which don't understand OpenID Connect won't understand "id_token") > > So I'm afraid that it reduces interoperability, a bit. > > On 2012/02/21, at 13:22, William Mills wrote: > >> I does allow some parts of your server config to be discovered. More of a problem in error responses is usually echoing back the user data, or allowing user enumeration for example. Care is required, but you don't have a ton of options here. >> >> From: Igor Faynberg <igor.faynberg@alcatel-lucent.com> >> To: oauth@ietf.org >> Sent: Monday, February 20, 2012 9:37 AM >> Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown" >> >> Could there be a potential security hole in providing an error response? (Not that I see it, but many problems in the past had been caused by helpful responese.) >> >> Igor >> >> On 2/20/2012 11:57 AM, William Mills wrote: >>> >>> Respond with an error in protocol. Thta won't include a redirect, and the client has to know what to do. >>> >>> From: nov matake <nov@matake.jp> >>> To: oauth WG <oauth@ietf.org> >>> Sent: Monday, February 20, 2012 6:11 AM >>> Subject: [OAUTH-WG] Quick question about error response for "response_type=unknown" >>> >>> Hi OAuthers, >>> >>> My apologies if you already discussed this. >>> >>> When OAuth server received unknown response_type, how should the server handle the error? >>> >>> 1. Show the error to the user without redirecting back to the client >>> 2. Redirect back to the client including the error in query >>> 3. Redirect back to the client including the error in fragment >>> >>> Since choosing 2 or 3 is impossible in this case, 1 seems reasonable for me. >>> >>> >>> -- >>> nov >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > -- > The Elite Gentleman
- [OAUTH-WG] Quick question about error response fo… nov matake
- Re: [OAUTH-WG] Quick question about error respons… William Mills
- Re: [OAUTH-WG] Quick question about error respons… Igor Faynberg
- Re: [OAUTH-WG] Quick question about error respons… William Mills
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… John Bradley
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… Buhake Sindi
- Re: [OAUTH-WG] Quick question about error respons… Buhake Sindi
- Re: [OAUTH-WG] Quick question about error respons… John Bradley
- Re: [OAUTH-WG] Quick question about error respons… Eran Hammer