Re: [OAUTH-WG] Authorization request errors
John Bradley <ve7jtb@ve7jtb.com> Wed, 04 July 2012 19:33 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D6AA21F853A for <oauth@ietfa.amsl.com>; Wed, 4 Jul 2012 12:33:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.323
X-Spam-Level:
X-Spam-Status: No, score=-3.323 tagged_above=-999 required=5 tests=[AWL=-0.025, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7kvygsVA6Ki for <oauth@ietfa.amsl.com>; Wed, 4 Jul 2012 12:33:46 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 69B3F21F845A for <oauth@ietf.org>; Wed, 4 Jul 2012 12:33:44 -0700 (PDT)
Received: by yenq13 with SMTP id q13so7471414yen.31 for <oauth@ietf.org>; Wed, 04 Jul 2012 12:33:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=kPz6R70IZ0KIOkg7VoSHudrAdJT3h9/z4MyzaD8w80w=; b=RntyNymOGfDkdIQILJKeROzYDhzZRbcAoJWnHAze7xWoV1Amx5xs2SJ/Emeb/Irxua DbwswJsXZSAm2N7Osl4mGR5aaHnF+BmfOokFmexXdhr/iZge8SGRNjrA3IxG24xMJ6wB 3371lGUe9TZeuTHGD+t4A88HBsmc5v+WnPI6iSwSdDStiVnC6O2P09t4rPFV+Sf+ctA5 ELphLppzcNZn5VEWelYAXCblHwS0EfNacSnlATu5hp//ktkK6oc52Cg2ovXvCS6WvjDb 9kd8A0yoH1ZjT0hSo0hzJ8upRr14QPsPANaEMG2dEBtHM80OozOVJLPlaymDiQR04Cmj 0+tA==
Received: by 10.236.165.74 with SMTP id d50mr26245851yhl.118.1341430435490; Wed, 04 Jul 2012 12:33:55 -0700 (PDT)
Received: from [192.168.1.211] (190-20-63-87.baf.movistar.cl. [190.20.63.87]) by mx.google.com with ESMTPS id w61sm38492573yhi.5.2012.07.04.12.33.53 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 04 Jul 2012 12:33:54 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/signed; boundary="Apple-Mail=_A484B927-7CD5-4446-BB42-C3A3BDA8FFE7"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAP279Ly_xOLOh_SM8X1ggVWVoY8wVq3g9qi1+S0orWnab=5ocw@mail.gmail.com>
Date: Wed, 04 Jul 2012 15:33:44 -0400
Message-Id: <AB33D463-67CA-446D-82A3-4AA35C23CEB3@ve7jtb.com>
References: <CAP279LzK6LtYZRNU+vqP+NAYV2ehmeC6sdJ3f+EnpS5URZiV6w@mail.gmail.com> <4FF47DDD.3010904@lodderstedt.net> <FB5E7652-FBD2-4F80-9633-DDEA00FFEB99@ve7jtb.com> <CAP279Ly_xOLOh_SM8X1ggVWVoY8wVq3g9qi1+S0orWnab=5ocw@mail.gmail.com>
To: Jérôme LELEU <leleuj@gmail.com>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQnfH4Erex//xdrDmWkTGAU2xxNj89AfSEqUvoHdLwir/HZgwnA3IWbjlpOt5Oe2XwuCSD4W
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Authorization request errors
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2012 19:33:48 -0000
Yes it is a HTML message to the user describing why the error occurred, 200 OK as I understand it. John B. On 2012-07-04, at 2:36 PM, Jérôme LELEU wrote: > Hi, > > Thanks for your replies. > > The possible security breach is clear to me : I would never redirect to a redirect_uri url if I didn't validate the client_id and if it didn't match the associated registered redirection url. > > My understanding of Torsten message is that the error page is in a free HTML format for end user with HTTP code 200 (status : OK). > > I think the spec could be more precise on this point. > Thanks. > > Best regards, > Jérôme > > > > 2012/7/4 John Bradley <ve7jtb@ve7jtb.com> > Jerome, > > If you redirect an error of any sort to the redirect_uri in the authorization request if the client_id is wrong or the URI doesn't match the registered one you are creating a open redirector that can potentially be used for phasing or other attacks. > > The redirect URI are registered to prevent that. Not sending a response is intentional. > > Regards > John B. > > On 2012-07-04, at 1:31 PM, Torsten Lodderstedt wrote: > >> Hi Jerome, >> >> I read the introduction of 4.1.2.1 as follows: The authorization server shall display an error message to the end-user. So no HTTP error code required. >> >> best regards, >> Torsten. >> >> Am 21.06.2012 21:40, schrieb Jérôme LELEU: >>> Hi, >>> >>> I'm trying to implement OAuth 2.0 provider support and, in particular, right handling of errors. >>> >>> Following OAuth 2.0 spec : http://tools.ietf.org/html/draft-ietf-oauth-v2-28, I don't understand the authorization request errors : part 4.1.2.1. >>> If I have a valid redirection url, I understand that an error should be returned with GET parameters (error, error_description...) in the redirected url as shown in example. >>> But in case of invalid redirection url or unknown client_id (which makes validation of redirection url impossible), what http code should I return ? 500 ? 400 ? What should be the format of the error message ? Json ? plaintext ? like a POST body ? >>> >>> I'm certainly misunderstanding OAuth spec, but I would appreciate any help. >>> Thanks. >>> Best regards, >>> Jérôme >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Authorization request errors Jérôme LELEU
- Re: [OAUTH-WG] Authorization request errors Torsten Lodderstedt
- Re: [OAUTH-WG] Authorization request errors John Bradley
- Re: [OAUTH-WG] Authorization request errors Jérôme LELEU
- Re: [OAUTH-WG] Authorization request errors John Bradley