IETF Logo Mail Archive

Re: [OAUTH-WG] Request sent to http: instead of https:`

Paul Tarjan <paul.tarjan@facebook.com> Wed, 13 October 2010 20:44 UTC

Return-Path: <paul.tarjan@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 238D43A69AB for <oauth@core3.amsl.com>; Wed, 13 Oct 2010 13:44:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.598
X-Spam-Level:
X-Spam-Status: No, score=-102.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w-SpHT77MZjB for <oauth@core3.amsl.com>; Wed, 13 Oct 2010 13:44:57 -0700 (PDT)
Received: from mx-out.facebook.com (outmail007.snc4.facebook.com [66.220.144.139]) by core3.amsl.com (Postfix) with ESMTP id 31CEC3A698A for <oauth@ietf.org>; Wed, 13 Oct 2010 13:44:57 -0700 (PDT)
Received: from [192.168.18.212] ([192.168.18.212:33440] helo=mail.thefacebook.com) by mta019.snc4.facebook.com (envelope-from <paul.tarjan@facebook.com>) (ecelerity 2.2.2.45 r(34222M)) with ESMTP id 01/7A-17412-09A16BC4; Wed, 13 Oct 2010 13:46:08 -0700
Received: from SC-MBX04.TheFacebook.com ([169.254.3.231]) by sc-hub04.TheFacebook.com ([fe80::8df5:7f90:d4a0:bb9%11]) with mapi; Wed, 13 Oct 2010 13:46:08 -0700
From: Paul Tarjan <paul.tarjan@facebook.com>
To: Breno <breno.demedeiros@gmail.com>
Thread-Topic: [OAUTH-WG] Request sent to http: instead of https:`
Thread-Index: AQHLawTe+snTrHx/JUC4TZ4mTPil45M/zqCA
Date: Wed, 13 Oct 2010 20:46:07 +0000
Message-ID: <2CF95A0F-D113-450D-8E1A-93944F1EAE77@facebook.com>
References: <AANLkTikO0oqudUchUnpW0vSsXe0k6QKkJpxjFUU+b413@mail.gmail.com>
In-Reply-To: <AANLkTikO0oqudUchUnpW0vSsXe0k6QKkJpxjFUU+b413@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_2CF95A0FD113450D8E1A93944F1EAE77facebookcom_"
MIME-Version: 1.0
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Request sent to http: instead of https:`
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 20:44:58 -0000

At Facebook we issue an HTTP 400 with "invalid_request" as the error.

http://graph.facebook.com/me?access_token=blah&client_id=150629244948164

<http://graph.facebook.com/me?access_token=blah&client_id=150629244948164>(the client_id is to enable draft-10 error messaging).

On Oct 13, 2010, at 11:31 AM, Breno wrote:

Suppose server A documents that their endpoint X is at
https://server.example.com/x; there's no service at the corresponding
http location for security reasons.

Client developer fatfingers URL as http://server.example.com/x

What is the correct response? I understand that this is out of scope
for the spec, but maybe there's agreement on some guidance?

One thing one shouldn't do is serve a 302 here; it would allow
defective clients to remain unpatched.

My preference is to simply return a bare 403 or 404 here -- after all
the endpoint does not exist (404) or if one uses the convention that
resources at http/https are usually identical, then http is a
non-authorized method to access the resource (403).

Thoughts?

--
Breno de Medeiros
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email