Re: [OAUTH-WG] Missing response_type with implicit and code flows on the same path
John Bradley <ve7jtb@ve7jtb.com> Wed, 10 February 2016 13:30 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D03741B2AA9 for <oauth@ietfa.amsl.com>; Wed, 10 Feb 2016 05:30:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vcYeVyWXbP6 for <oauth@ietfa.amsl.com>; Wed, 10 Feb 2016 05:30:40 -0800 (PST)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC9C71B2A9E for <oauth@ietf.org>; Wed, 10 Feb 2016 05:30:39 -0800 (PST)
Received: by mail-qk0-x230.google.com with SMTP id x1so6576809qkc.1 for <oauth@ietf.org>; Wed, 10 Feb 2016 05:30:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=1fVvjqGkFfcK8MtSJDnnAZe4s5DNo/ZGN59RwPQknWY=; b=CE56dS8VjSsJjc8kOwejtjf72CeoYmyDfQ8qDX5TgscgKCd3TjQx7IvKQGHWRIpjoO 0SsnCYobbjn2D+2EtuZhnBAdEH8gFapkQ++FKF5H8Yy4dLjJl2Ga+lW/odVV/ciqkehj BKLzLwV0UOuEFJ223Zeaype/bBuhNtQCfRNIn4K/W+adTGHWzfroHmoCg2yH8MFAgH0V BNTx3DURBYOSoW2VwbKrt4i2ZjyPMZvzQxyK1G6c2k9WOvswxEu5XxGxveUfokb/sSXL zkGvY/qDxz/p+jIeTU5s9/nZ27+griIeEO3hQsB8nFyuTNyQe47rUeTon5BX9y4pj6Th mMkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=1fVvjqGkFfcK8MtSJDnnAZe4s5DNo/ZGN59RwPQknWY=; b=AfjPGtw3WU7kSUhWawDklX/ld3dmpyKnsCT6D2p5uAqXwIiN+M2ejNEuQB7HjdhdpP 35Ta9AKnOuNK8KjEYBwNNPFrJRadH3wobX48gh0lwotQykArFnmZY1dYGmAM876Z1dec knhzearBcKwe5yKUoqTQ+cX9oqyE3GqwhlVH+z3rpJjWzP/gQT2nVAskaUI+Dt1wHuiZ M3F6bviC8bysevzf9oIEdYfRXc7pbUA4b5croyIaA+5jq8p88+vXRb0KUA6Ha/EK9cyR ws5EEWrJF/g1nvuOium7lEuFr68AGLUzKi+8k6ZRYHT8nDzrz5r3paDzYLCe0Nn6EXgR /CJg==
X-Gm-Message-State: AG10YOTLbfa+sZE4F5PtXw6WjSXQmMllsG3HeJ9P1/tKNI5gZDZ0f8LIEgYdpmvAta+xwQ==
X-Received: by 10.55.76.213 with SMTP id z204mr47982283qka.58.1455111038799; Wed, 10 Feb 2016 05:30:38 -0800 (PST)
Received: from [192.168.1.68] ([191.115.118.180]) by smtp.gmail.com with ESMTPSA id g130sm1270904qkb.28.2016.02.10.05.30.36 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 10 Feb 2016 05:30:37 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_2E4C1641-1F6D-41B2-9566-F5D15AF03DE1"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <56BB0C6C.1060507@gmail.com>
Date: Wed, 10 Feb 2016 10:30:27 -0300
Message-Id: <C3A621FA-B558-4254-938B-6538418F8AE1@ve7jtb.com>
References: <56B3A400.2080606@gmx.net> <62D1E1DB-17A4-4ABD-81F3-8659F40D7E88@mit.edu> <CAOahYUxSMopc0hoXG8ocMk+p1b__NqapuztuHiWchpYRQqvP2w@mail.gmail.com> <9DC45CB4-07D8-4F17-8311-02AD60521379@ve7jtb.com> <CAAP42hBnZMV51vcL2GQD6kbCS7aDC0pz0KP-nMsoT0j+EgkiGg@mail.gmail.com> <56B9FA20.60509@gmail.com> <56BA0F42.5070702@connect2id.com> <56BA11ED.6080109@gmail.com> <56BAEDC7.4040806@connect2id.com> <56BB0C6C.1060507@gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/f769swZZZIqY49ADqGtG02a_Cy8>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Missing response_type with implicit and code flows on the same path
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2016 13:30:43 -0000
This trick works for the response types that use the GET POST and fragment encoded response modes. In the future if we do a Java Script response mode as is being proposed that might not always be the case. Just a heads up. Regards John B. > On Feb 10, 2016, at 7:09 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > > Hi > > I got it, thanks for clarifying the idea :-) > > Thanks, Sergey > On 10/02/16 07:59, Vladimir Dzhuvinov wrote: >> >> >> On 09/02/16 18:21, Sergey Beryozkin wrote: >>> Hi Vladimir >>> >>> Thanks for the response, >>> On 09/02/16 16:09, Vladimir Dzhuvinov wrote: >>>> Hi Sergey, >>>> >>>> Yes, HTTP 400 is one way to handle a missing response_type with a >>>> "universal" authz endpoint. >>>> >>> Indeed, looks like it makes sense >>>> Or, you could encode the error in the query string as well as the >>>> fragment, and redirect back to the client. >>>> >>> I'm not sure if that can be done in a 'universal' endpoint case >>> because it is not known if a client is running in the implicit context >>> or code flow context. Though I guess it a client is restricted at the >>> registration time to run only in the code or implicit flows then it >>> will provide a hint... >> >> If you set both the query and the fragment you'll take care of both flows :) >>> >>> Cheers, Sergey >>> >>>> Vladimir >>>> >>>> >>>> On 09/02/16 16:39, Sergey Beryozkin wrote: >>>>> Hi >>>>> >>>>> OAuth2 spec recommends how to deal with a missing response_type, set >>>>> an error as a query or fragment parameter, depending on whether it is >>>>> the authorization code or implicit flow and redirect. >>>>> >>>>> This implies that authorization code and implicit handlers listen on >>>>> different paths, for example, >>>>> >>>>> code: /code >>>>> implicit: /implicit >>>>> >>>>> so if a response type is missing the handler will know how to set the >>>>> error on the redirect uri, as a query or a fragment..... >>>>> >>>>> However, I'd like to have a single handler, example (from the OIDC >>>>> core): >>>>> >>>>> "https://server.example.com/authorize" >>>>> >>>>> which will support both the code and implicit flows. >>>>> >>>>> Here, 'response_type' is an obvious hint on what kind of flow is in >>>>> process, however, if it is missing, how will a server know how to >>>>> report a missing response_type error if it uses a shared "/authorize" >>>>> path. >>>>> >>>>> I think in such cases reporting 400 is reasonable. Do you agree ? >>>>> >>>>> Thanks, Sergey >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth 2.0 for Native Apps: Call for Ad… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… Justin Richer
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… Adam Lewis
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… George Fletcher
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… John Bradley
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… William Denniss
- [OAUTH-WG] Missing response_type with implicit an… Sergey Beryozkin
- Re: [OAUTH-WG] Missing response_type with implici… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Missing response_type with implici… Sergey Beryozkin
- Re: [OAUTH-WG] Missing response_type with implici… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Missing response_type with implici… Sergey Beryozkin
- Re: [OAUTH-WG] Missing response_type with implici… John Bradley
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… Eduardo Gueiros
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… Thomas Broyer