Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
"matake@gmail" <matake@gmail.com> Tue, 21 February 2012 11:34 UTC
Return-Path: <matake@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9854421F8703 for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 03:34:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.714
X-Spam-Level:
X-Spam-Status: No, score=-2.714 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfCOPN86PrQt for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 03:34:35 -0800 (PST)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0AC7021F85AE for <oauth@ietf.org>; Tue, 21 Feb 2012 03:34:35 -0800 (PST)
Received: by dakl33 with SMTP id l33so7105440dak.31 for <oauth@ietf.org>; Tue, 21 Feb 2012 03:34:34 -0800 (PST)
Received-SPF: pass (google.com: domain of matake@gmail.com designates 10.68.218.229 as permitted sender) client-ip=10.68.218.229;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of matake@gmail.com designates 10.68.218.229 as permitted sender) smtp.mail=matake@gmail.com; dkim=pass header.i=matake@gmail.com
Received: from mr.google.com ([10.68.218.229]) by 10.68.218.229 with SMTP id pj5mr15773492pbc.26.1329824074934 (num_hops = 1); Tue, 21 Feb 2012 03:34:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=2IXJmpVeyNFew7d1KaA23IDNm163XkgabiV7WQiia/w=; b=a9FTzK9nmYZkDTU8jcbabgWBEvabcHlGd4XwKCO6Uiwzpnic0Bg+/SWzHb1iQ/fbIQ XUjNwL2mhT/tEXHJ1sVXoJFbL1KzC6cua56dfWW0gnxOd3G0RR+AGO68O2qwxD1xjqh2 maXYNVeEeBIWBC3wiZVd6XRRc9Zcc4Vsk4cGU=
Received: by 10.68.218.229 with SMTP id pj5mr12885742pbc.26.1329824074805; Tue, 21 Feb 2012 03:34:34 -0800 (PST)
Received: from [192.168.1.103] (q032020.dynamic.ppp.asahi-net.or.jp. [203.181.32.20]) by mx.google.com with ESMTPS id q1sm15853529pbv.49.2012.02.21.03.34.31 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 21 Feb 2012 03:34:33 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/alternative; boundary="Apple-Mail=_769C0E38-DB11-48F6-984C-DDCE69C84AAA"
From: "matake@gmail" <matake@gmail.com>
In-Reply-To: <1329798149.78115.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Tue, 21 Feb 2012 20:34:29 +0900
Message-Id: <56F7111A-B65E-459A-BB8A-ED87CDF1EB4A@gmail.com>
References: <58932B8B-2DDE-41D6-A91B-5036CC762C00@matake.jp> <1329757027.28055.YahooMailNeo@web31808.mail.mud.yahoo.com> <4F4284DD.3030006@alcatel-lucent.com> <1329798149.78115.YahooMailNeo@web31804.mail.mud.yahoo.com>
To: William Mills <wmills@yahoo-inc.com>
X-Mailer: Apple Mail (2.1257)
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2012 11:34:36 -0000
So the answer is "Show the error to the user without redirecting back to the client", right? I'm now developing OAuth2 and OpenID Connect ruby library, and both of them return errors case 1. redirect with error in query if response_type is "code" but it's not supported case 2. redirect with error in fragment if response_type is "token code", "token id_token", "token code id_token" or "code id_token" but it's not supported case 3. otherwise show error to the user without redirect since server cannot understand the response_type at all But other server might not understand some of response_types listed in case 2 at all and choose case 3 in such case. (ie. OAuth servers which don't understand OpenID Connect won't understand "id_token") So I'm afraid that it reduces interoperability, a bit. On 2012/02/21, at 13:22, William Mills wrote: > I does allow some parts of your server config to be discovered. More of a problem in error responses is usually echoing back the user data, or allowing user enumeration for example. Care is required, but you don't have a ton of options here. > > From: Igor Faynberg <igor.faynberg@alcatel-lucent.com> > To: oauth@ietf.org > Sent: Monday, February 20, 2012 9:37 AM > Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown" > > Could there be a potential security hole in providing an error response? (Not that I see it, but many problems in the past had been caused by helpful responese.) > > Igor > > On 2/20/2012 11:57 AM, William Mills wrote: >> >> Respond with an error in protocol. Thta won't include a redirect, and the client has to know what to do. >> >> From: nov matake <nov@matake.jp> >> To: oauth WG <oauth@ietf.org> >> Sent: Monday, February 20, 2012 6:11 AM >> Subject: [OAUTH-WG] Quick question about error response for "response_type=unknown" >> >> Hi OAuthers, >> >> My apologies if you already discussed this. >> >> When OAuth server received unknown response_type, how should the server handle the error? >> >> 1. Show the error to the user without redirecting back to the client >> 2. Redirect back to the client including the error in query >> 3. Redirect back to the client including the error in fragment >> >> Since choosing 2 or 3 is impossible in this case, 1 seems reasonable for me. >> >> >> -- >> nov >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Quick question about error response fo… nov matake
- Re: [OAUTH-WG] Quick question about error respons… William Mills
- Re: [OAUTH-WG] Quick question about error respons… Igor Faynberg
- Re: [OAUTH-WG] Quick question about error respons… William Mills
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… John Bradley
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… Buhake Sindi
- Re: [OAUTH-WG] Quick question about error respons… Buhake Sindi
- Re: [OAUTH-WG] Quick question about error respons… John Bradley
- Re: [OAUTH-WG] Quick question about error respons… Eran Hammer