IETF Logo Mail Archive

Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"

William Mills <wmills@yahoo-inc.com> Tue, 21 February 2012 04:22 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 616E121F854E for <oauth@ietfa.amsl.com>; Mon, 20 Feb 2012 20:22:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.195
X-Spam-Level:
X-Spam-Status: No, score=-17.195 tagged_above=-999 required=5 tests=[AWL=0.403, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ay7o+aldrKSn for <oauth@ietfa.amsl.com>; Mon, 20 Feb 2012 20:22:40 -0800 (PST)
Received: from nm28.bullet.mail.bf1.yahoo.com (nm28.bullet.mail.bf1.yahoo.com [98.139.212.187]) by ietfa.amsl.com (Postfix) with SMTP id 5D90821F854D for <oauth@ietf.org>; Mon, 20 Feb 2012 20:22:39 -0800 (PST)
Received: from [98.139.212.146] by nm28.bullet.mail.bf1.yahoo.com with NNFMP; 21 Feb 2012 04:22:30 -0000
Received: from [98.139.212.230] by tm3.bullet.mail.bf1.yahoo.com with NNFMP; 21 Feb 2012 04:22:30 -0000
Received: from [127.0.0.1] by omp1039.mail.bf1.yahoo.com with NNFMP; 21 Feb 2012 04:22:30 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 865230.14654.bm@omp1039.mail.bf1.yahoo.com
Received: (qmail 83214 invoked by uid 60001); 21 Feb 2012 04:22:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1329798150; bh=qF9xBUDSEhbTxCdc0Xz50Ej0Hq4CX/Va/iVtX4Ucaks=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=dGjXiCDFGTeMz/HbKNAPCyVju6LIpq5uRLJWY/ps0FBRQJSV9kQGGQKmc4T+rUmApV4aJ3adxq0Kyihur/N4Apk1AoFbeyy67icZK2vwlpqUEvCt9/NW/mbmd+iT4GUYdmkPXHWsdBuVK6iUl0nLeVf2VAgvsZYObABNKayY0wU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Gn+GUw+sFxzB1RAU2JBKHBws9+X5VOtoqOyZ61SJnJjZOkRowrvrhRWFoRTrJGH+ww8Av1HbC/x92WHWCStqAKn8V8myL+Zj0o2Mv4BnrkT2q+SxxLXaj5FYB0B0yuaB/4zQ6+8AHIObrCwmJ6zpMrFCi5ElU3gnc0dvAPAGw50=;
X-YMail-OSG: Kk1fb24VM1mjptXlL7jZoqAIo92_8cyXXs_dNmMRezy6IyG D7afrDhbtwFH6GQIR_.dH.KNqDpXTZiHJ2DW1zKS647.oMjJZiB8TngX6K5x OkxrGiTN168fCIfS4Cp6K3tntTNZtjOsO.S2Y_2ITcF2d6Qqu0.bkuanOitv iOkVEajzr5vDAo._3gFCF4SsFitluwOLLaHstHPaG8m5.jCZqFnLYQXnnEET K_A5uEB6pt7QydfRAJihDr6mTnC44uAHZmXcR8ib3qQ5Yr9b93hT9cOJarmE 8nFf8kYWZhrhzTXqaYtdvUjjgMvlryjgsxyToPajdYdPeDWNKl6fYEUL.FjE bKs.z7Ig42qodK9ozNCtiBM5WNAzjQPobkgKxUukNYES0TrVOjYVD9xQZ.Gm ALJWUYv26l7_U8aOgU_fpmTZ8RjBYPtTHQlembgDhUhNMO7LcfqnPERW5O.u ug7I-
Received: from [209.131.62.115] by web31804.mail.mud.yahoo.com via HTTP; Mon, 20 Feb 2012 20:22:29 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.117.340031
References: <58932B8B-2DDE-41D6-A91B-5036CC762C00@matake.jp> <1329757027.28055.YahooMailNeo@web31808.mail.mud.yahoo.com> <4F4284DD.3030006@alcatel-lucent.com>
Message-ID: <1329798149.78115.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Mon, 20 Feb 2012 20:22:29 -0800
From: William Mills <wmills@yahoo-inc.com>
To: "igor.faynberg@alcatel-lucent.com" <igor.faynberg@alcatel-lucent.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <4F4284DD.3030006@alcatel-lucent.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="835683298-1778805745-1329798149=:78115"
Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2012 04:22:41 -0000

I does allow some parts of your server config to be discovered.  More of a problem in error responses is usually echoing back the user data, or allowing user enumeration for example.  Care is required, but you don't have a ton of options here.



________________________________
 From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
To: oauth@ietf.org 
Sent: Monday, February 20, 2012 9:37 AM
Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
 

Could there be a potential security hole in providing an error response?  (Not that I see it, but many problems in the past had been caused by helpful responese.)

Igor

On 2/20/2012 11:57 AM, William Mills wrote: 
Respond with an error in protocol.  Thta won't include a redirect, and the client has to know what to do.
>
>
>
>________________________________
> From: nov matake <nov@matake.jp>
>To: oauth WG <oauth@ietf.org> 
>Sent: Monday, February 20, 2012 6:11 AM
>Subject: [OAUTH-WG] Quick question about error response for "response_type=unknown"
> 
>Hi OAuthers,
>
>My apologies if you already discussed this.
>
>When OAuth server received unknown response_type, how should
            the server handle the error?
>
>1. Show the error to the user without redirecting back to
            the client
>2. Redirect back to the client including the error in query
>3. Redirect back to the client including the error in
            fragment
>
>Since choosing 2 or 3 is impossible in this case, 1 seems
            reasonable for me.
>
>
>--
>nov
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
_______________________________________________
OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email