IETF Logo Mail Archive

Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP

John Panzer <jpanzer@google.com> Mon, 16 August 2010 16:11 UTC

Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3CB683A67FE for <oauth@core3.amsl.com>; Mon, 16 Aug 2010 09:11:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.917
X-Spam-Level:
X-Spam-Status: No, score=-100.917 tagged_above=-999 required=5 tests=[AWL=3.571, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZkYs--4jcd9C for <oauth@core3.amsl.com>; Mon, 16 Aug 2010 09:11:19 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id C99CF3A67F1 for <oauth@ietf.org>; Mon, 16 Aug 2010 09:11:18 -0700 (PDT)
Received: from kpbe13.cbf.corp.google.com (kpbe13.cbf.corp.google.com [172.25.105.77]) by smtp-out.google.com with ESMTP id o7GGBrlj015580 for <oauth@ietf.org>; Mon, 16 Aug 2010 09:11:53 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1281975114; bh=5DD5e7qRqukIPsu4hpHo0OoCWbg=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=qiul8MGUO0pa+7XK4HEKM1aGjVXoeEaFTGU2fl4ERgzT/5++eIOsBbaXTRliGttWo r4YXMlHACznF2uJbJ2/vQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=Wfc57Gau7dSiTsnJul4NgOiPoZ2Ejf9ND1YJw7sEad7zt85sPqwbN8FRwcKPmIymm Ep5kvQ9LLjMkwjThHfsLA==
Received: from ywa8 (ywa8.prod.google.com [10.192.1.8]) by kpbe13.cbf.corp.google.com with ESMTP id o7GGBaRP024579 for <oauth@ietf.org>; Mon, 16 Aug 2010 09:11:52 -0700
Received: by ywa8 with SMTP id 8so2358432ywa.17 for <oauth@ietf.org>; Mon, 16 Aug 2010 09:11:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.101.87.12 with SMTP id p12mr6026935anl.73.1281975111732; Mon, 16 Aug 2010 09:11:51 -0700 (PDT)
Received: by 10.100.6.6 with HTTP; Mon, 16 Aug 2010 09:11:51 -0700 (PDT)
In-Reply-To: <AANLkTikvz1FNvHN0W4TYyUn=0Nq_At2c+x793XTdwyLm@mail.gmail.com>
References: <1643FCF1-841F-41FF-B8A8-43269320CFA8@facebook.com> <D2742806-9180-4A5B-98D5-BFD68AF74EEA@facebook.com> <AANLkTikvz1FNvHN0W4TYyUn=0Nq_At2c+x793XTdwyLm@mail.gmail.com>
Date: Mon, 16 Aug 2010 09:11:51 -0700
Message-ID: <AANLkTinBqMvmKuoUq7Fy7XmJue5VEFYcw7qoca=0cWFs@mail.gmail.com>
From: John Panzer <jpanzer@google.com>
To: Aaron Parecki <aaron@parecki.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2010 16:11:21 -0000

Is there ever a case other than jsonp where this is necessary?

On Monday, August 16, 2010, Aaron Parecki <aaron@parecki.com> wrote:
> Excellent point. Would it be worth it to include a new error_code
> parameter in the JSON response so that clients have a way to get the
> http status code from the data available in the jsonp response?
>
> The response in this case might look like this
> jsonp_cb({
>     "error_code": 400,
>    "error": "invalid_request",
>    "error_description": "An active access token must be used to query
> information about the current user."
> });
>
> Aaron
>
>
> On Sun, Aug 15, 2010 at 10:16 PM, Luke Shepard <lshepard@facebook.com> wrote:
>
>
> +1
>
> On Aug 13, 2010, at 2:31 PM, Paul Tarjan wrote:
>
> Hi Fellow OAuthers,
>
> If a resource wants to return data via the JSONP mechanism then it MUST return an HTTP 200 error code, or else the browser won't actually call the callback. The OAuth spec as it stands requires HTTP 400 or 401 or 403 on errors which won't ever tell the client that an error happens.
>
> For example:
>
> GET /me?callback=jsonp_cb HTTP/1.1
> Host: graph.facebook.com <http://graph.facebook.com/>
>
> HTTP/1.1 200 OK
> Content-Type: text/javascript; charset=UTF-8
> Content-Length: 152
>
> jsonp_cb({   "error": "invalid_request",   "error_description": "An active access token must be used to query information about the current user."
> });
> would never get sent to the browser if we obeyed the spec and sent it as an HTTP 400.
>
> ---
> So, I recommend we add wording to 5.2.1 like:
>
> If the protected resource is issuing a response that requires a different HTTP status code than the one specified (for example, JSONP), then it MAY use an alternate HTTP code. The server should make it clear which parameters trigger this mode so that clients know not to rely on the HTTP status code for error detection.
>
>
> Paul_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

-- 
--
John Panzer / Google
jpanzer@google.com / abstractioneer.org / @jpanzer

v2.29.0 | Report a Bug | By Email | System Status