Re: [OAUTH-WG] Request sent to http: instead of https:`

Marius Scurtescu <mscurtescu@google.com> Wed, 13 October 2010 21:54 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 771A53A69DF for <oauth@core3.amsl.com>; Wed, 13 Oct 2010 14:54:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.774
X-Spam-Level:
X-Spam-Status: No, score=-105.774 tagged_above=-999 required=5 tests=[AWL=0.203, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kabnS2ndzkBL for <oauth@core3.amsl.com>; Wed, 13 Oct 2010 14:54:49 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 1CBC73A69CE for <oauth@ietf.org>; Wed, 13 Oct 2010 14:54:49 -0700 (PDT)
Received: from hpaq5.eem.corp.google.com (hpaq5.eem.corp.google.com [172.25.149.5]) by smtp-out.google.com with ESMTP id o9DLu5me031994 for <oauth@ietf.org>; Wed, 13 Oct 2010 14:56:06 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1287006966; bh=jDQo2uJa4VYvMZVEVByuguWPnqc=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=UAzsZ43Gj18eGFop4C7iSUQ+39U8rRlA5+j8Gge5RX7eRd4i34kk8z2NiGcwY3b9X 1RZOYWPFI92DwiaHOdq6A==
Received: from gyh20 (gyh20.prod.google.com [10.243.50.212]) by hpaq5.eem.corp.google.com with ESMTP id o9DLu3HT029695 for <oauth@ietf.org>; Wed, 13 Oct 2010 14:56:04 -0700
Received: by gyh20 with SMTP id 20so2473483gyh.2 for <oauth@ietf.org>; Wed, 13 Oct 2010 14:56:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=0qRXdnWmbPH7AFrG9xa+VIGpcG8jQG4Lgim7n1AN6r4=; b=FeyKE1Iklgi5dhvCAo29XpIDnGVLDP7TKbjBpomfhF5Z7JVa4wgYboouAi0xuPwDOm brzFdma3g2Qbc3B3O/Hw==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=QZ2158anXd6ksXnuilCqlGlcIsD8t4w3UmajQIC3C57BKc1529gc1J6ZFsBK3IpJCf 8GLfMpIufnHFiZ+A9bwA==
Received: by 10.150.134.11 with SMTP id h11mr1905882ybd.193.1287006963539; Wed, 13 Oct 2010 14:56:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.101.123.19 with HTTP; Wed, 13 Oct 2010 14:55:43 -0700 (PDT)
In-Reply-To: <B5861468-C397-44C9-BF09-B0AE65592AF1@facebook.com>
References: <AANLkTikO0oqudUchUnpW0vSsXe0k6QKkJpxjFUU+b413@mail.gmail.com> <2CF95A0F-D113-450D-8E1A-93944F1EAE77@facebook.com> <AANLkTinPPTg0zCzwLB4h=14FcAyKPbY1Mxzhfi+1zPrh@mail.gmail.com> <B5861468-C397-44C9-BF09-B0AE65592AF1@facebook.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 13 Oct 2010 14:55:43 -0700
Message-ID: <AANLkTi=X1gSdNoc_SQRd4AMwkmEy4Zh11H5vyjSw6LeY@mail.gmail.com>
To: Paul Tarjan <paul.tarjan@facebook.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Request sent to http: instead of https:`
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 21:54:50 -0000

On Wed, Oct 13, 2010 at 2:00 PM, Paul Tarjan <paul.tarjan@facebook.com> wrote:
>>
>>> At Facebook we issue an HTTP 400 with "invalid_request" as the error.
>>> http://graph.facebook.com/me?access_token=blah&client_id=150629244948164
>>> (the client_id is to enable draft-10 error messaging).
>>
>> Without client_id you get a different error message (JSON as well, but
>> not OAuth2 compliant). Why do you need this parameter to make the
>> distinction?
>
> Backwards compatibility. When we shipped, OAuth2 was at draft 00 and there was no standard error mechanism. So we invented one that isn't compatible with the current error codes (our key "error" was an array, and the current one is a "string" so we can't just send both).
>
> When the spec finalizes, we'll do a single migration and change the default to be the final format (and all other non-backwards compatible changes).

Got it, thanks.

Marius