Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
William Mills <wmills@yahoo-inc.com> Tue, 21 February 2012 04:22 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 616E121F854E for <oauth@ietfa.amsl.com>; Mon, 20 Feb 2012 20:22:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.195
X-Spam-Level:
X-Spam-Status: No, score=-17.195 tagged_above=-999 required=5 tests=[AWL=0.403, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ay7o+aldrKSn for <oauth@ietfa.amsl.com>; Mon, 20 Feb 2012 20:22:40 -0800 (PST)
Received: from nm28.bullet.mail.bf1.yahoo.com (nm28.bullet.mail.bf1.yahoo.com [98.139.212.187]) by ietfa.amsl.com (Postfix) with SMTP id 5D90821F854D for <oauth@ietf.org>; Mon, 20 Feb 2012 20:22:39 -0800 (PST)
Received: from [98.139.212.146] by nm28.bullet.mail.bf1.yahoo.com with NNFMP; 21 Feb 2012 04:22:30 -0000
Received: from [98.139.212.230] by tm3.bullet.mail.bf1.yahoo.com with NNFMP; 21 Feb 2012 04:22:30 -0000
Received: from [127.0.0.1] by omp1039.mail.bf1.yahoo.com with NNFMP; 21 Feb 2012 04:22:30 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 865230.14654.bm@omp1039.mail.bf1.yahoo.com
Received: (qmail 83214 invoked by uid 60001); 21 Feb 2012 04:22:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1329798150; bh=qF9xBUDSEhbTxCdc0Xz50Ej0Hq4CX/Va/iVtX4Ucaks=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=dGjXiCDFGTeMz/HbKNAPCyVju6LIpq5uRLJWY/ps0FBRQJSV9kQGGQKmc4T+rUmApV4aJ3adxq0Kyihur/N4Apk1AoFbeyy67icZK2vwlpqUEvCt9/NW/mbmd+iT4GUYdmkPXHWsdBuVK6iUl0nLeVf2VAgvsZYObABNKayY0wU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Gn+GUw+sFxzB1RAU2JBKHBws9+X5VOtoqOyZ61SJnJjZOkRowrvrhRWFoRTrJGH+ww8Av1HbC/x92WHWCStqAKn8V8myL+Zj0o2Mv4BnrkT2q+SxxLXaj5FYB0B0yuaB/4zQ6+8AHIObrCwmJ6zpMrFCi5ElU3gnc0dvAPAGw50=;
X-YMail-OSG: Kk1fb24VM1mjptXlL7jZoqAIo92_8cyXXs_dNmMRezy6IyG D7afrDhbtwFH6GQIR_.dH.KNqDpXTZiHJ2DW1zKS647.oMjJZiB8TngX6K5x OkxrGiTN168fCIfS4Cp6K3tntTNZtjOsO.S2Y_2ITcF2d6Qqu0.bkuanOitv iOkVEajzr5vDAo._3gFCF4SsFitluwOLLaHstHPaG8m5.jCZqFnLYQXnnEET K_A5uEB6pt7QydfRAJihDr6mTnC44uAHZmXcR8ib3qQ5Yr9b93hT9cOJarmE 8nFf8kYWZhrhzTXqaYtdvUjjgMvlryjgsxyToPajdYdPeDWNKl6fYEUL.FjE bKs.z7Ig42qodK9ozNCtiBM5WNAzjQPobkgKxUukNYES0TrVOjYVD9xQZ.Gm ALJWUYv26l7_U8aOgU_fpmTZ8RjBYPtTHQlembgDhUhNMO7LcfqnPERW5O.u ug7I-
Received: from [209.131.62.115] by web31804.mail.mud.yahoo.com via HTTP; Mon, 20 Feb 2012 20:22:29 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.117.340031
References: <58932B8B-2DDE-41D6-A91B-5036CC762C00@matake.jp> <1329757027.28055.YahooMailNeo@web31808.mail.mud.yahoo.com> <4F4284DD.3030006@alcatel-lucent.com>
Message-ID: <1329798149.78115.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Mon, 20 Feb 2012 20:22:29 -0800
From: William Mills <wmills@yahoo-inc.com>
To: "igor.faynberg@alcatel-lucent.com" <igor.faynberg@alcatel-lucent.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <4F4284DD.3030006@alcatel-lucent.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="835683298-1778805745-1329798149=:78115"
Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2012 04:22:41 -0000
I does allow some parts of your server config to be discovered. More of a problem in error responses is usually echoing back the user data, or allowing user enumeration for example. Care is required, but you don't have a ton of options here. ________________________________ From: Igor Faynberg <igor.faynberg@alcatel-lucent.com> To: oauth@ietf.org Sent: Monday, February 20, 2012 9:37 AM Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown" Could there be a potential security hole in providing an error response? (Not that I see it, but many problems in the past had been caused by helpful responese.) Igor On 2/20/2012 11:57 AM, William Mills wrote: Respond with an error in protocol. Thta won't include a redirect, and the client has to know what to do. > > > >________________________________ > From: nov matake <nov@matake.jp> >To: oauth WG <oauth@ietf.org> >Sent: Monday, February 20, 2012 6:11 AM >Subject: [OAUTH-WG] Quick question about error response for "response_type=unknown" > >Hi OAuthers, > >My apologies if you already discussed this. > >When OAuth server received unknown response_type, how should the server handle the error? > >1. Show the error to the user without redirecting back to the client >2. Redirect back to the client including the error in query >3. Redirect back to the client including the error in fragment > >Since choosing 2 or 3 is impossible in this case, 1 seems reasonable for me. > > >-- >nov >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Quick question about error response fo… nov matake
- Re: [OAUTH-WG] Quick question about error respons… William Mills
- Re: [OAUTH-WG] Quick question about error respons… Igor Faynberg
- Re: [OAUTH-WG] Quick question about error respons… William Mills
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… John Bradley
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… Buhake Sindi
- Re: [OAUTH-WG] Quick question about error respons… Buhake Sindi
- Re: [OAUTH-WG] Quick question about error respons… John Bradley
- Re: [OAUTH-WG] Quick question about error respons… Eran Hammer