IETF Logo Mail Archive

Re: [OAUTH-WG] Authorization request errors

John Bradley <ve7jtb@ve7jtb.com> Wed, 04 July 2012 19:33 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D6AA21F853A for <oauth@ietfa.amsl.com>; Wed, 4 Jul 2012 12:33:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.323
X-Spam-Level:
X-Spam-Status: No, score=-3.323 tagged_above=-999 required=5 tests=[AWL=-0.025, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7kvygsVA6Ki for <oauth@ietfa.amsl.com>; Wed, 4 Jul 2012 12:33:46 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 69B3F21F845A for <oauth@ietf.org>; Wed, 4 Jul 2012 12:33:44 -0700 (PDT)
Received: by yenq13 with SMTP id q13so7471414yen.31 for <oauth@ietf.org>; Wed, 04 Jul 2012 12:33:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=kPz6R70IZ0KIOkg7VoSHudrAdJT3h9/z4MyzaD8w80w=; b=RntyNymOGfDkdIQILJKeROzYDhzZRbcAoJWnHAze7xWoV1Amx5xs2SJ/Emeb/Irxua DbwswJsXZSAm2N7Osl4mGR5aaHnF+BmfOokFmexXdhr/iZge8SGRNjrA3IxG24xMJ6wB 3371lGUe9TZeuTHGD+t4A88HBsmc5v+WnPI6iSwSdDStiVnC6O2P09t4rPFV+Sf+ctA5 ELphLppzcNZn5VEWelYAXCblHwS0EfNacSnlATu5hp//ktkK6oc52Cg2ovXvCS6WvjDb 9kd8A0yoH1ZjT0hSo0hzJ8upRr14QPsPANaEMG2dEBtHM80OozOVJLPlaymDiQR04Cmj 0+tA==
Received: by 10.236.165.74 with SMTP id d50mr26245851yhl.118.1341430435490; Wed, 04 Jul 2012 12:33:55 -0700 (PDT)
Received: from [192.168.1.211] (190-20-63-87.baf.movistar.cl. [190.20.63.87]) by mx.google.com with ESMTPS id w61sm38492573yhi.5.2012.07.04.12.33.53 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 04 Jul 2012 12:33:54 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/signed; boundary="Apple-Mail=_A484B927-7CD5-4446-BB42-C3A3BDA8FFE7"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAP279Ly_xOLOh_SM8X1ggVWVoY8wVq3g9qi1+S0orWnab=5ocw@mail.gmail.com>
Date: Wed, 04 Jul 2012 15:33:44 -0400
Message-Id: <AB33D463-67CA-446D-82A3-4AA35C23CEB3@ve7jtb.com>
References: <CAP279LzK6LtYZRNU+vqP+NAYV2ehmeC6sdJ3f+EnpS5URZiV6w@mail.gmail.com> <4FF47DDD.3010904@lodderstedt.net> <FB5E7652-FBD2-4F80-9633-DDEA00FFEB99@ve7jtb.com> <CAP279Ly_xOLOh_SM8X1ggVWVoY8wVq3g9qi1+S0orWnab=5ocw@mail.gmail.com>
To: Jérôme LELEU <leleuj@gmail.com>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQnfH4Erex//xdrDmWkTGAU2xxNj89AfSEqUvoHdLwir/HZgwnA3IWbjlpOt5Oe2XwuCSD4W
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Authorization request errors
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2012 19:33:48 -0000

Yes it is a HTML message to the user describing why the error occurred,  200 OK  as I understand it.

John B.
On 2012-07-04, at 2:36 PM, Jérôme LELEU wrote:

> Hi,
> 
> Thanks for your replies.
> 
> The possible security breach is clear to me : I would never redirect to a redirect_uri url if I didn't validate the client_id and if it didn't match the associated registered redirection url.
> 
> My understanding of Torsten message is that the error page is in a free HTML format for end user with HTTP code 200 (status : OK).
> 
> I think the spec could be more precise on this point.
> Thanks.
> 
> Best regards,
> Jérôme
> 
> 
> 
> 2012/7/4 John Bradley <ve7jtb@ve7jtb.com>
> Jerome,
> 
> If you redirect an error of any sort to the redirect_uri in the authorization request if the client_id is wrong or the URI doesn't match the registered one you are creating a open redirector that can potentially be used for phasing or other attacks.
> 
> The redirect URI are registered to prevent that.   Not sending a response is intentional.
> 
> Regards
> John B.
> 
> On 2012-07-04, at 1:31 PM, Torsten Lodderstedt wrote:
> 
>> Hi Jerome,
>> 
>> I read the introduction of 4.1.2.1 as follows: The authorization server shall display an error message to the end-user. So no HTTP error code required.
>> 
>> best regards,
>> Torsten.
>> 
>> Am 21.06.2012 21:40, schrieb Jérôme LELEU:
>>> Hi,
>>> 
>>> I'm trying to implement OAuth 2.0 provider support and, in particular, right handling of errors.
>>> 
>>> Following OAuth 2.0 spec : http://tools.ietf.org/html/draft-ietf-oauth-v2-28, I don't understand the authorization request errors : part 4.1.2.1.
>>> If I have a valid redirection url, I understand that an error should be returned with GET parameters (error, error_description...) in the redirected url as shown in example.
>>> But in case of invalid redirection url or unknown client_id (which makes validation of redirection url impossible), what http code should I return ? 500 ? 400 ? What should be the format of the error message ? Json ? plaintext ? like a POST body ?
>>> 
>>> I'm certainly misunderstanding OAuth spec, but I would appreciate any help.
>>> Thanks.
>>> Best regards,
>>> Jérôme
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
>

v2.23.0 | Report a Bug | By Email