IETF Logo Mail Archive

Re: [OAUTH-WG] Adding machine readable errors to SPOP?

Nat Sakimura <sakimura@gmail.com> Fri, 14 November 2014 21:00 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A672E1AC439 for <oauth@ietfa.amsl.com>; Fri, 14 Nov 2014 13:00:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jd_eDP8REafM for <oauth@ietfa.amsl.com>; Fri, 14 Nov 2014 13:00:13 -0800 (PST)
Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6071D1AC3D9 for <oauth@ietf.org>; Fri, 14 Nov 2014 13:00:13 -0800 (PST)
Received: by mail-ie0-f178.google.com with SMTP id rp18so18867170iec.9 for <oauth@ietf.org>; Fri, 14 Nov 2014 13:00:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:from:date:message-id:subject:to:cc :content-type; bh=Oazv2NMsr93iWs3/5qqpsAgB3/0pFm0gi+87hCaKkyA=; b=OSLkdjhV9gs6uuYC64J/2uDDulRNNT8bDSeN8LGLUMxXksF8EVXyJgytVZDh/nNCQw sT1kkbtYw8fSC0C+4KQZzs7C21txYWRjD9kxsGSsT0tZE1XJYUqdLelHvbQHIZX0jCIv nwJy4zslM8uTkc4ZHsd8HJBj4aYL7TPdImitqO029OvpITNqaNatpF0R9tWdNIFdPf0+ 5we4Sq5fJI99rHJFis7GwmykCjrxXuGo+15axYQCi4ee/zXsojW46ype6sByiOlgajXW 9HBoMN72KEykvWWjJ14jNQaYXYQHGn5nTO4OXmti7rDBNIBmBvgT0ve7uZHGzM1GDFU5 gF/Q==
X-Received: by 10.42.126.82 with SMTP id d18mr6456394ics.54.1415998812601; Fri, 14 Nov 2014 13:00:12 -0800 (PST)
MIME-Version: 1.0
References: <CABzCy2AqUvaJSpA3sKxWp8zs+kkTnq++Kv0a81JpBor825eaKg@mail.gmail.com> <CA+k3eCTF=SnWP2rE7pRCe4ve_KUhZoCj+h7NhRUjjpEpXEWUVA@mail.gmail.com> <CABzCy2Cd1oWuUmvhMnrNKbzHiA447xHjcvd0z=usMMP3tEzRsg@mail.gmail.com> <25AA1078-5A90-41EA-B30C-2E8962214177@ve7jtb.com> <CABzCy2AJZzocvb-d7aMoXoGpepZYwKqwbgaiig-xtbLwRap0Hw@mail.gmail.com> <240365989.721577.1415998484828.JavaMail.yahoo@jws10608.mail.bf1.yahoo.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Fri, 14 Nov 2014 21:00:12 +0000
Message-ID: <CABzCy2A_bhOs-YsgCftrR=rFnB1BEOteENEBJBUrZJhoKO21+A@mail.gmail.com>
To: Bill Mills <wmills_92105@yahoo.com>, John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="20cf300e53293a43a20507d7ea3d"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/_zqbtJRRj5qg0e1CcaCcEA5Mmto
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Adding machine readable errors to SPOP?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 21:00:23 -0000

Thanks. I will dig it up.
On Fri, Nov 14, 2014 at 10:54 Bill Mills <wmills_92105@yahoo.com> wrote:

> I sent some feedback on that section in a different message on list.
>
>
>   On Friday, November 14, 2014 12:41 PM, Nat Sakimura <sakimura@gmail.com>
> wrote:
>
>
> That pretty much was the conclusion we reached. I believe that it was what
> the F2F room inclined to. So, for -04, we added a section on error response
> but it doesn't have those granular errors.
> On Fri, Nov 14, 2014 at 07:07 John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> <hatoff> Nat and I discussed it yesterday and I am still personally
> unconvinced that the errors from the authorization endpoint are helpful.
> So I am personally against adding specific errors for S256_unsupported
> </hatoff>
>
> On Nov 14, 2014, at 6:52 AM, Nat Sakimura <sakimura@gmail.com> wrote:
>
> <editorhatoff>I find not much, if any. </editorhatoff >
>
>
> On Fri, Nov 14, 2014 at 06:27 Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> I struggle to see the value in adding more fine grained machine readable
> error messages for this.
>
> Do we really want clients to try and negotiate the code_challenge_method
> using browser redirects? Especially in light of the fact that we'll likely
> also be discouraging AS's from redirecting on some error conditions when
> there's no user interaction.
>
> On Wed, Nov 12, 2014 at 1:48 PM, Nat Sakimura <sakimura@gmail.com> wrote:
>
> As discussed at F2F today at IETF 91 OAuth WG, there has been some request
> to have a more fine grained machine readable error messages.
>
> Currently, it only returns the error defined in RFC6749 and any more
> details is supposed to be returned in error_descripton and error_uri.
>
> So, I came up with the following proposal. If WG agrees, I would put text
> embodying it into the draft-04. Otherwise, I would like to go as is. You
> have to speak out to put it in. (I am sending out -03, which we meant to
> send before submit freeze, without it..)
>
> nError response to authorization request
> lReturns invalid_request with additional error param spop_error with the
> following values:
> ▪S256_unsupported
> ▪none_unsupported
> ▪invalid_code_challenge
> Clients MUST NOT accept the downgrade
> request through this as it may be a downgrade
> attack by a MITM.
> nError response to token request
> lReturns invalid_request with additional error param spop_error with the
> following values:
> ▪invalid _code_verifier
> ▪verifier_challenge_mismatch
> nAuthorization server should return more descriptive information on
> lerror_description
> lerror_uri
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.23.0 | Report a Bug | By Email