IETF Logo Mail Archive

Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 17 August 2010 06:02 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E61E13A68D6 for <oauth@core3.amsl.com>; Mon, 16 Aug 2010 23:02:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.783
X-Spam-Level:
X-Spam-Status: No, score=-1.783 tagged_above=-999 required=5 tests=[AWL=-0.134, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_66=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVbl0zVWsCU0 for <oauth@core3.amsl.com>; Mon, 16 Aug 2010 23:02:01 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.14]) by core3.amsl.com (Postfix) with ESMTP id 5290E3A68A7 for <oauth@ietf.org>; Mon, 16 Aug 2010 23:02:00 -0700 (PDT)
Received: from p4ffd1428.dip.t-dialin.net ([79.253.20.40] helo=[127.0.0.1]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OlFFr-00076W-2r; Tue, 17 Aug 2010 08:02:35 +0200
Message-ID: <4C6A25F7.8060301@lodderstedt.net>
Date: Tue, 17 Aug 2010 08:02:31 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Paul Tarjan <paul.tarjan@facebook.com>
References: <1643FCF1-841F-41FF-B8A8-43269320CFA8@facebook.com> <D2742806-9180-4A5B-98D5-BFD68AF74EEA@facebook.com> <AANLkTikvz1FNvHN0W4TYyUn=0Nq_At2c+x793XTdwyLm@mail.gmail.com> <AANLkTinBqMvmKuoUq7Fy7XmJue5VEFYcw7qoca=0cWFs@mail.gmail.com> <4C69B719.3060303@lodderstedt.net> <DFB12E92-0E4D-46C2-8103-C74BAE6F65F9@facebook.com>
In-Reply-To: <DFB12E92-0E4D-46C2-8103-C74BAE6F65F9@facebook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: torsten@lodderstedt-online.de
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 06:02:07 -0000

Paul Tarjan schrieb:
> Yes, I'm talking about 5.2.1
>
> For JSONP the user's browser is the client. It will make a request by executing some HTML like this:
>
> <script src="http://graph.facebook.com/me?access_token=...&callback=jsonp_cb"></script>
> <script>
> function jsonp_cb(response) {
>   if (response.error) {
>     // error out
>    return;
>   }
>   // do cool things
> }
> </script>
>
> (this is done instead of an AJAX request, because of cross-domain restrictions).
>
> As to Aaron's point, Google sends 3 parameters to the callback function, which I kind of like since the user can choose to get the code or not. Something like:
>
> jsonp_cb({
>   "error": "invalid_request",
>   "error_description": "An active access token must be used to query
> information about the current user."
> }.
> 400,
> 'Bad Request');
>
> which you can grab with
>
> function jsonp_cb(response, code, status) {
> }
>
> or ignore it with
>
> function jsonp_cb(response) {
> }
>
> But all of this is outside of the spec. I just want to make sure the spec says that the HTTP status code can send as 200 if the server+client need it for errors.
>   
I think this can be achieved in two ways: (a) either the client tells 
the server using a parameter or (b) the server always responds with 
status code 200 in some cases. From my understanding, status code 200 is 
relevant for requests following the rules of section 5.1.2 only. So my 
sugesstion would be to go with option (b) and modify the spec to always 
return status code 200 for such requests. This keeps the spec simpler 
and preserves the behavior of requests following the rules of section 
5.1.1..

regards,
Torsten.

> Paul
>
> On Aug 16, 2010, at 3:09 PM, Torsten Lodderstedt wrote:
>
>   
>> I would like to furthermore track down the relevant use cases. Assuming you are referring to section 5.2.1, how does your client send the access token to the resource server? I'm asking because I think error handling for URI query parameters, Body parameters and Authorization headers could be handled differently. For URI query parameters and Body parameters, returning the error code in the payload instead of the status code would be acceptable from my point of view since authentication is also pushed to the application level. In contrast when using HTTP authentication, 40(x) status codes together with WWW-Authenticate are a must have.
>>
>> Would such a differentiation help you?
>>
>> regards,
>> Torsten.
>>
>> John Panzer schrieb:
>>     
>>> Is there ever a case other than jsonp where this is necessary?
>>>
>>> On Monday, August 16, 2010, Aaron Parecki <aaron@parecki.com> wrote:
>>>  
>>>       
>>>> Excellent point. Would it be worth it to include a new error_code
>>>> parameter in the JSON response so that clients have a way to get the
>>>> http status code from the data available in the jsonp response?
>>>>
>>>> The response in this case might look like this
>>>> jsonp_cb({
>>>>    "error_code": 400,
>>>>   "error": "invalid_request",
>>>>   "error_description": "An active access token must be used to query
>>>> information about the current user."
>>>> });
>>>>
>>>> Aaron
>>>>
>>>>
>>>> On Sun, Aug 15, 2010 at 10:16 PM, Luke Shepard <lshepard@facebook.com> wrote:
>>>>
>>>>
>>>> +1
>>>>
>>>> On Aug 13, 2010, at 2:31 PM, Paul Tarjan wrote:
>>>>
>>>> Hi Fellow OAuthers,
>>>>
>>>> If a resource wants to return data via the JSONP mechanism then it MUST return an HTTP 200 error code, or else the browser won't actually call the callback. The OAuth spec as it stands requires HTTP 400 or 401 or 403 on errors which won't ever tell the client that an error happens.
>>>>
>>>> For example:
>>>>
>>>> GET /me?callback=jsonp_cb HTTP/1.1
>>>> Host: graph.facebook.com <http://graph.facebook.com/>
>>>>
>>>> HTTP/1.1 200 OK
>>>> Content-Type: text/javascript; charset=UTF-8
>>>> Content-Length: 152
>>>>
>>>> jsonp_cb({   "error": "invalid_request",   "error_description": "An active access token must be used to query information about the current user."
>>>> });
>>>> would never get sent to the browser if we obeyed the spec and sent it as an HTTP 400.
>>>>
>>>> ---
>>>> So, I recommend we add wording to 5.2.1 like:
>>>>
>>>> If the protected resource is issuing a response that requires a different HTTP status code than the one specified (for example, JSONP), then it MAY use an alternate HTTP code. The server should make it clear which parameters trigger this mode so that clients know not to rely on the HTTP status code for error detection.
>>>>
>>>>
>>>> Paul_______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>>
>>>>    
>>>>         
>>>  
>>>       
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>     
>
>

v2.29.0 | Report a Bug | By Email | System Status