Re: [OAUTH-WG] Authorization request errors
John Bradley <ve7jtb@ve7jtb.com> Wed, 04 July 2012 18:01 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE8B421F86B1 for <oauth@ietfa.amsl.com>; Wed, 4 Jul 2012 11:01:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.472
X-Spam-Level:
X-Spam-Status: No, score=-3.472 tagged_above=-999 required=5 tests=[AWL=0.126, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XeMPUMAIvOXn for <oauth@ietfa.amsl.com>; Wed, 4 Jul 2012 11:01:34 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id E470521F86E0 for <oauth@ietf.org>; Wed, 4 Jul 2012 11:01:33 -0700 (PDT)
Received: by yhq56 with SMTP id 56so8978617yhq.31 for <oauth@ietf.org>; Wed, 04 Jul 2012 11:01:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=BDQsL750D596YWZHMHdFOocWTIodh0A2WS5k0lpwXo4=; b=hxrXZgbJV11Ev9C8tNAGTbcDnKL4eRK6hTAMzGwIuFmE+NiAluekWT+Y1SlZAdm4n0 IgQYVUub16nrLGSQP9K4zWHaMMposAvB1EGMB8g3+IdCntw2xbJhUA9zx39VvavbVUNM 6v6t/Q24QiJo9RLuXxBMq1IiEHPan14/P/+cGUMMrhlG+d0deAqU+GfwaX9/NGdsmFpf gexBoiHlc/Er8oge7e/WN69QDpyonAt00OyTzZmWXr6pQOJzJ76D84L/3+BMXUf+5dnD dX5sLB2BwA91f3uMD8KDx1vim5wIqXkz7iUS1rH/Jt6tsVfl7GQL5RnhB7e4H18pOuWq ZIiw==
Received: by 10.236.182.161 with SMTP id o21mr26818580yhm.43.1341424904774; Wed, 04 Jul 2012 11:01:44 -0700 (PDT)
Received: from [192.168.1.211] (190-20-63-87.baf.movistar.cl. [190.20.63.87]) by mx.google.com with ESMTPS id h15sm17901149ank.1.2012.07.04.11.01.42 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 04 Jul 2012 11:01:43 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/signed; boundary="Apple-Mail=_518F4193-75E8-4D85-8505-E707BA459F84"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <4FF47DDD.3010904@lodderstedt.net>
Date: Wed, 04 Jul 2012 14:01:34 -0400
Message-Id: <FB5E7652-FBD2-4F80-9633-DDEA00FFEB99@ve7jtb.com>
References: <CAP279LzK6LtYZRNU+vqP+NAYV2ehmeC6sdJ3f+EnpS5URZiV6w@mail.gmail.com> <4FF47DDD.3010904@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQkoY5z5m74/GRAb5IEwaXS4M/VaK1fEQ4BRiSpufqDzG2/WgTmaVPC6VxWTr7BzCt915FyI
Cc: oauth@ietf.org, Jérôme LELEU <leleuj@gmail.com>
Subject: Re: [OAUTH-WG] Authorization request errors
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2012 18:01:34 -0000
Jerome, If you redirect an error of any sort to the redirect_uri in the authorization request if the client_id is wrong or the URI doesn't match the registered one you are creating a open redirector that can potentially be used for phasing or other attacks. The redirect URI are registered to prevent that. Not sending a response is intentional. Regards John B. On 2012-07-04, at 1:31 PM, Torsten Lodderstedt wrote: > Hi Jerome, > > I read the introduction of 4.1.2.1 as follows: The authorization server shall display an error message to the end-user. So no HTTP error code required. > > best regards, > Torsten. > > Am 21.06.2012 21:40, schrieb Jérôme LELEU: >> Hi, >> >> I'm trying to implement OAuth 2.0 provider support and, in particular, right handling of errors. >> >> Following OAuth 2.0 spec : http://tools.ietf.org/html/draft-ietf-oauth-v2-28, I don't understand the authorization request errors : part 4.1.2.1. >> If I have a valid redirection url, I understand that an error should be returned with GET parameters (error, error_description...) in the redirected url as shown in example. >> But in case of invalid redirection url or unknown client_id (which makes validation of redirection url impossible), what http code should I return ? 500 ? 400 ? What should be the format of the error message ? Json ? plaintext ? like a POST body ? >> >> I'm certainly misunderstanding OAuth spec, but I would appreciate any help. >> Thanks. >> Best regards, >> Jérôme >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Authorization request errors Jérôme LELEU
- Re: [OAUTH-WG] Authorization request errors Torsten Lodderstedt
- Re: [OAUTH-WG] Authorization request errors John Bradley
- Re: [OAUTH-WG] Authorization request errors Jérôme LELEU
- Re: [OAUTH-WG] Authorization request errors John Bradley