Re: [OAUTH-WG] Missing response_type with implicit and code flows on the same path

John Bradley <ve7jtb@ve7jtb.com> Wed, 10 February 2016 13:30 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D03741B2AA9 for <oauth@ietfa.amsl.com>; Wed, 10 Feb 2016 05:30:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vcYeVyWXbP6 for <oauth@ietfa.amsl.com>; Wed, 10 Feb 2016 05:30:40 -0800 (PST)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC9C71B2A9E for <oauth@ietf.org>; Wed, 10 Feb 2016 05:30:39 -0800 (PST)
Received: by mail-qk0-x230.google.com with SMTP id x1so6576809qkc.1 for <oauth@ietf.org>; Wed, 10 Feb 2016 05:30:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=1fVvjqGkFfcK8MtSJDnnAZe4s5DNo/ZGN59RwPQknWY=; b=CE56dS8VjSsJjc8kOwejtjf72CeoYmyDfQ8qDX5TgscgKCd3TjQx7IvKQGHWRIpjoO 0SsnCYobbjn2D+2EtuZhnBAdEH8gFapkQ++FKF5H8Yy4dLjJl2Ga+lW/odVV/ciqkehj BKLzLwV0UOuEFJ223Zeaype/bBuhNtQCfRNIn4K/W+adTGHWzfroHmoCg2yH8MFAgH0V BNTx3DURBYOSoW2VwbKrt4i2ZjyPMZvzQxyK1G6c2k9WOvswxEu5XxGxveUfokb/sSXL zkGvY/qDxz/p+jIeTU5s9/nZ27+griIeEO3hQsB8nFyuTNyQe47rUeTon5BX9y4pj6Th mMkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=1fVvjqGkFfcK8MtSJDnnAZe4s5DNo/ZGN59RwPQknWY=; b=AfjPGtw3WU7kSUhWawDklX/ld3dmpyKnsCT6D2p5uAqXwIiN+M2ejNEuQB7HjdhdpP 35Ta9AKnOuNK8KjEYBwNNPFrJRadH3wobX48gh0lwotQykArFnmZY1dYGmAM876Z1dec knhzearBcKwe5yKUoqTQ+cX9oqyE3GqwhlVH+z3rpJjWzP/gQT2nVAskaUI+Dt1wHuiZ M3F6bviC8bysevzf9oIEdYfRXc7pbUA4b5croyIaA+5jq8p88+vXRb0KUA6Ha/EK9cyR ws5EEWrJF/g1nvuOium7lEuFr68AGLUzKi+8k6ZRYHT8nDzrz5r3paDzYLCe0Nn6EXgR /CJg==
X-Gm-Message-State: AG10YOTLbfa+sZE4F5PtXw6WjSXQmMllsG3HeJ9P1/tKNI5gZDZ0f8LIEgYdpmvAta+xwQ==
X-Received: by 10.55.76.213 with SMTP id z204mr47982283qka.58.1455111038799; Wed, 10 Feb 2016 05:30:38 -0800 (PST)
Received: from [192.168.1.68] ([191.115.118.180]) by smtp.gmail.com with ESMTPSA id g130sm1270904qkb.28.2016.02.10.05.30.36 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 10 Feb 2016 05:30:37 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_2E4C1641-1F6D-41B2-9566-F5D15AF03DE1"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <56BB0C6C.1060507@gmail.com>
Date: Wed, 10 Feb 2016 10:30:27 -0300
Message-Id: <C3A621FA-B558-4254-938B-6538418F8AE1@ve7jtb.com>
References: <56B3A400.2080606@gmx.net> <62D1E1DB-17A4-4ABD-81F3-8659F40D7E88@mit.edu> <CAOahYUxSMopc0hoXG8ocMk+p1b__NqapuztuHiWchpYRQqvP2w@mail.gmail.com> <9DC45CB4-07D8-4F17-8311-02AD60521379@ve7jtb.com> <CAAP42hBnZMV51vcL2GQD6kbCS7aDC0pz0KP-nMsoT0j+EgkiGg@mail.gmail.com> <56B9FA20.60509@gmail.com> <56BA0F42.5070702@connect2id.com> <56BA11ED.6080109@gmail.com> <56BAEDC7.4040806@connect2id.com> <56BB0C6C.1060507@gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/f769swZZZIqY49ADqGtG02a_Cy8>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Missing response_type with implicit and code flows on the same path
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2016 13:30:43 -0000

This trick works for the response types that use the GET POST and fragment encoded response modes. 

In the future if we do a Java Script response mode as is being proposed that might not always be the case.

Just a heads up.

Regards
John B.
> On Feb 10, 2016, at 7:09 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
> 
> Hi
> 
> I got it, thanks for clarifying the idea :-)
> 
> Thanks, Sergey
> On 10/02/16 07:59, Vladimir Dzhuvinov wrote:
>> 
>> 
>> On 09/02/16 18:21, Sergey Beryozkin wrote:
>>> Hi Vladimir
>>> 
>>> Thanks for the response,
>>> On 09/02/16 16:09, Vladimir Dzhuvinov wrote:
>>>> Hi Sergey,
>>>> 
>>>> Yes, HTTP 400 is one way to handle a missing response_type with a
>>>> "universal" authz endpoint.
>>>> 
>>> Indeed, looks like it makes sense
>>>> Or, you could encode the error in the query string as well as the
>>>> fragment, and redirect back to the client.
>>>> 
>>> I'm not sure if that can be done in a 'universal' endpoint case
>>> because it is not known if a client is running in the implicit context
>>> or code flow context. Though I guess it a client is restricted at the
>>> registration time to run only in the code or implicit flows then it
>>> will provide a hint...
>> 
>> If you set both the query and the fragment you'll take care of both flows :)
>>> 
>>> Cheers, Sergey
>>> 
>>>> Vladimir
>>>> 
>>>> 
>>>> On 09/02/16 16:39, Sergey Beryozkin wrote:
>>>>> Hi
>>>>> 
>>>>> OAuth2 spec recommends how to deal with a missing response_type, set
>>>>> an error as a query or fragment parameter, depending on whether it is
>>>>> the authorization code or implicit flow and redirect.
>>>>> 
>>>>> This implies that authorization code and implicit handlers listen on
>>>>> different paths, for example,
>>>>> 
>>>>> code: /code
>>>>> implicit: /implicit
>>>>> 
>>>>> so if a response type is missing the handler will know how to set the
>>>>> error on the redirect uri, as a query or a fragment.....
>>>>> 
>>>>> However, I'd like to have a single handler, example (from the OIDC
>>>>> core):
>>>>> 
>>>>> "https://server.example.com/authorize"
>>>>> 
>>>>> which will support both the code and implicit flows.
>>>>> 
>>>>> Here, 'response_type' is an obvious hint on what kind of flow is in
>>>>> process, however, if it is missing, how will a server know how to
>>>>> report a missing response_type error if it uses a shared "/authorize"
>>>>> path.
>>>>> 
>>>>> I think in such cases reporting 400 is reasonable. Do you agree ?
>>>>> 
>>>>> Thanks, Sergey
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>> 
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth