Re: [OAUTH-WG] Adding machine readable errors to SPOP?
Mike Jones <Michael.Jones@microsoft.com> Wed, 12 November 2014 20:57 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CBC81A1A4E for <oauth@ietfa.amsl.com>; Wed, 12 Nov 2014 12:57:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lshaPZhr2GOr for <oauth@ietfa.amsl.com>; Wed, 12 Nov 2014 12:56:59 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0729.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::729]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02E631A0023 for <oauth@ietf.org>; Wed, 12 Nov 2014 12:56:58 -0800 (PST)
Received: from BN3PR0301CA0005.namprd03.prod.outlook.com (25.160.180.143) by BN3PR0301MB1202.namprd03.prod.outlook.com (25.161.207.155) with Microsoft SMTP Server (TLS) id 15.1.11.14; Wed, 12 Nov 2014 20:56:36 +0000
Received: from BY2FFO11FD027.protection.gbl (2a01:111:f400:7c0c::113) by BN3PR0301CA0005.outlook.office365.com (2a01:111:e400:4000::15) with Microsoft SMTP Server (TLS) id 15.1.16.15 via Frontend Transport; Wed, 12 Nov 2014 20:56:35 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD027.mail.protection.outlook.com (10.1.15.216) with Microsoft SMTP Server (TLS) id 15.1.6.13 via Frontend Transport; Wed, 12 Nov 2014 20:56:35 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.229]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0210.003; Wed, 12 Nov 2014 20:56:03 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Nat Sakimura <sakimura@gmail.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Adding machine readable errors to SPOP?
Thread-Index: AQHP/roZcL9grbq59UGJGkuF7SxSgJxdeDPA
Date: Wed, 12 Nov 2014 20:56:03 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB8006F@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <CABzCy2AqUvaJSpA3sKxWp8zs+kkTnq++Kv0a81JpBor825eaKg@mail.gmail.com>
In-Reply-To: <CABzCy2AqUvaJSpA3sKxWp8zs+kkTnq++Kv0a81JpBor825eaKg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439BB8006FTK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(199003)(189002)(377454003)(64706001)(20776003)(95666004)(107886001)(106466001)(81156004)(46102003)(99396003)(120916001)(2656002)(107046002)(85806002)(77096003)(62966003)(106116001)(66066001)(54356999)(19300405004)(4396001)(15202345003)(76176999)(21056001)(87936001)(77156002)(71186001)(19625215002)(26826002)(561944003)(84326002)(31966008)(33656002)(97736003)(44976005)(6806004)(86362001)(86612001)(19580395003)(19580405001)(16236675004)(92566001)(92726001)(15975445006)(69596002)(512874002)(68736004)(104016003)(84676001)(50986999)(55846006); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1202; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1202;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1202;
X-Forefront-PRVS: 03932714EB
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-Exchange-Antispam-Report-CFA: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1202;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Sd1ayFhZnvH-WScygUA2LFaO1n8
Subject: Re: [OAUTH-WG] Adding machine readable errors to SPOP?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Nov 2014 20:57:02 -0000
Is S256_unsupported or algorithm_unsupported the better error description? I’m asking because I also expect that at some point in the approval process for this document you’ll be asked to support algorithm agility (for instance, being able to use SHA-3-256).
-- Mike
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, November 12, 2014 10:49 AM
To: oauth
Subject: [OAUTH-WG] Adding machine readable errors to SPOP?
As discussed at F2F today at IETF 91 OAuth WG, there has been some request to have a more fine grained machine readable error messages.
Currently, it only returns the error defined in RFC6749 and any more details is supposed to be returned in error_descripton and error_uri.
So, I came up with the following proposal. If WG agrees, I would put text embodying it into the draft-04. Otherwise, I would like to go as is. You have to speak out to put it in. (I am sending out -03, which we meant to send before submit freeze, without it..)
•Error response to authorization request
•Returns invalid_request with additional error param spop_error with the following values:
▪S256_unsupported
▪none_unsupported
▪invalid_code_challenge
Clients MUST NOT accept the downgrade
request through this as it may be a downgrade
attack by a MITM.
•Error response to token request
•Returns invalid_request with additional error param spop_error with the following values:
▪invalid _code_verifier
▪verifier_challenge_mismatch
•Authorization server should return more descriptive information on
•error_description
•error_uri
- [OAUTH-WG] Adding machine readable errors to SPOP? Nat Sakimura
- Re: [OAUTH-WG] Adding machine readable errors to … Mike Jones
- Re: [OAUTH-WG] Adding machine readable errors to … Nat Sakimura
- Re: [OAUTH-WG] Adding machine readable errors to … Bill Mills
- Re: [OAUTH-WG] Adding machine readable errors to … Brian Campbell
- Re: [OAUTH-WG] Adding machine readable errors to … Nat Sakimura
- Re: [OAUTH-WG] Adding machine readable errors to … John Bradley
- Re: [OAUTH-WG] Adding machine readable errors to … Nat Sakimura
- Re: [OAUTH-WG] Adding machine readable errors to … Bill Mills
- Re: [OAUTH-WG] Adding machine readable errors to … Nat Sakimura