Re: [OAUTH-WG] Section 7.2
Eran Hammer <eran@hueniverse.com> Mon, 18 June 2012 17:13 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6501121F86F2 for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 10:13:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.98
X-Spam-Level:
X-Spam-Status: No, score=-1.98 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LFybo2+uyoB0 for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 10:13:49 -0700 (PDT)
Received: from p3plex2out01.prod.phx3.secureserver.net (p3plex2out01.prod.phx3.secureserver.net [184.168.131.12]) by ietfa.amsl.com (Postfix) with ESMTP id 890C721F86F1 for <oauth@ietf.org>; Mon, 18 Jun 2012 10:13:49 -0700 (PDT)
Received: from P3PWEX2HT003.ex2.secureserver.net ([184.168.131.11]) by p3plex2out01.prod.phx3.secureserver.net with bizsmtp id PtDp1j0010EuLVk01tDpJk; Mon, 18 Jun 2012 10:13:49 -0700
Received: from P3PWEX2MB008.ex2.secureserver.net ([169.254.8.66]) by P3PWEX2HT003.ex2.secureserver.net ([184.168.131.11]) with mapi id 14.02.0247.003; Mon, 18 Jun 2012 10:13:48 -0700
From: Eran Hammer <eran@hueniverse.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Mike Jones <Michael.Jones@microsoft.com>
Thread-Topic: [OAUTH-WG] Section 7.2
Thread-Index: Ac1KeB4PVUuFMDsJRu+q5d/rw0G4WQAO9iAAAA6cN3AAHFVLIP/+3oCAgAT2VMD//6kPAA==
Date: Mon, 18 Jun 2012 17:13:47 +0000
Message-ID: <0CBAEB56DDB3A140BA8E8C124C04ECA201077203@P3PWEX2MB008.ex2.secureserver.net>
References: <0CBAEB56DDB3A140BA8E8C124C04ECA201073394@P3PWEX2MB008.ex2.secureserver.net> <4E1F6AAD24975D4BA5B1680429673943665394D7@TK5EX14MBXC284.redmond.corp.microsoft.com> <0CBAEB56DDB3A140BA8E8C124C04ECA2010734C5@P3PWEX2MB008.ex2.secureserver.net> <0CBAEB56DDB3A140BA8E8C124C04ECA201073573@P3PWEX2MB008.ex2.secureserver.net> <4E1F6AAD24975D4BA5B168042967394366539839@TK5EX14MBXC284.redmond.corp.microsoft.com> <3929B3F4-D3B3-4CAB-BB22-CFA5BFBBE8E5@gmx.net> <4E1F6AAD24975D4BA5B16804296739436654F446@TK5EX14MBXC283.redmond.corp.microsoft.com> <D8EF5B5C-56B6-4B17-8AB2-83DD116D9549@gmx.net>
In-Reply-To: <D8EF5B5C-56B6-4B17-8AB2-83DD116D9549@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [80.36.76.35]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Section 7.2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2012 17:13:50 -0000
Same as any SHOULD. Do it unless you have a good reason not to. We have plenty of other SHOULDs without any detailed explanation of the qualifications. EH > -----Original Message----- > From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] > Sent: Monday, June 18, 2012 5:02 AM > To: Mike Jones > Cc: Hannes Tschofenig; Eran Hammer; oauth@ietf.org WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Section 7.2 > > Hi Mike, > > this text below does not prohibit error information to be sent back to the > client (otherwise there would be a MUST NOT). > > So, if a developer reads this below then when should he send an error > response and when not? > > Ciao > Hannes > > PS: (I also believe that the "i.e." should rather be a "e.g." in the text below.) > > On Jun 15, 2012, at 10:06 PM, Mike Jones wrote: > > > There are cases where the OAuth specs specifically *prohibit* returning an > error code or other error information, for security reasons. For instance, > http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20#section-3.1 > contains the language: > > > > If the request lacks any authentication information (i.e. the client > > was unaware authentication is necessary or attempted using an > > unsupported authentication method), the resource server SHOULD NOT > > include an error code or other error information. > > > > Hence, the SHOULDs, rather than MUSTs. > > > > -- Mike > > > > -----Original Message----- > > From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] > > Sent: Friday, June 15, 2012 11:28 AM > > To: Mike Jones > > Cc: Hannes Tschofenig; Eran Hammer; oauth@ietf.org WG > (oauth@ietf.org) > > Subject: Re: [OAUTH-WG] Section 7.2 > > > > Hi Mike, > > > > I personally would find it better to have fewer SHOULDs. Most of them > have been there for a long time and so it is a bit late to complain but the > challenge for protocol architectures is to figure out under what conditions > they should do certain things. > > > > > Additionally, I don't buy the argument that a server should not provide > error responses (or to be only very brief, or even misleading) for a security > point of view because attackers typically know more than ordinary > developers or users and so you end up with a system that the normal user is > unable to work with (in a failure case) but adversaries nevertheless get what > they want. This comment relates to the first sentence that gives me the > impression that the server may not send any error message in case of a > failure, which sounds strange to me. > > > > Ciao > > Hannes > > > > On Jun 15, 2012, at 4:15 AM, Mike Jones wrote: > > > >> Thanks for writing the text below. It looks fine to me. About adding the > other error parameters as suggestions, that seems like a reasonable thing to > do. How about the text at the end below, which adds mentions of > error_description and error_uri? > >> > >> 7.2. Error Response > >> > >> If a resource access request fails, the resource server SHOULD inform > >> the client of the error. While the specifics of such error responses > >> are beyond the scope of this specification, this documents establishes > >> a common registry for error values to be shared among OAuth token > >> authentication schemes. > >> > >> New authentication schemes designed primarily for OAuth token > >> authentication SHOULD define a mechanism for providing an > >> error status code to the client, in which the error values allowed are > >> registered in the error registry established by this specification. Such > >> schemes MAY limit the set of valid error codes to a subset of the > >> registered values. If the error code is returned using a named parameter, > >> the parameter name SHOULD be "error". > >> > >> Other schemes capable of being used for OAuth token authentication, > but > >> not primarily designed for that purpose, MAY bind their error values to > the > >> registry in the same manner. > >> > >> New authentication schemes MAY choose to also specify the use of the > >> "error_description" and "error_uri" parameters to return error > information > >> in a manner parallel to their usage in this specification. > >> > >> > >> -- Mike > >> > >> P.S. If you already have the text you wrote in a copy of the draft, you > should apply these spelling corrections: > >> desgined -> designed > >> authentiction -> authentication > >> > >> -----Original Message----- > >> From: Eran Hammer [mailto:eran@hueniverse.com] > >> Sent: Thursday, June 14, 2012 3:29 PM > >> To: Eran Hammer; Mike Jones; oauth@ietf.org WG (oauth@ietf.org) > >> Subject: RE: [OAUTH-WG] Section 7.2 > >> > >> Mike - if you want to add the other error parameters as suggestions, that > would be fine by me. > >> > >> EH > >> > >>> -----Original Message----- > >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On > >>> Behalf Of Eran Hammer > >>> Sent: Thursday, June 14, 2012 3:23 PM > >>> To: Mike Jones; oauth@ietf.org WG (oauth@ietf.org) > >>> Subject: Re: [OAUTH-WG] Section 7.2 > >>> > >>> 7.2. Error Response > >>> > >>> If a resource access request fails, the resource server SHOULD inform > >>> the client of the error. While the specifics of such error responses > >>> are beyond the scope of this specification, this documents establishes > >>> a common registry for error values to be shared among OAuth token > >>> authentication schemes. > >>> > >>> New authentication schemes desgined primarily for OAuth token > >>> authentiction SHOULD define a mechanism for providing an > >>> error status code to the client, in which the error values allowed are > >>> registered in the error registry established by this specification. Such > >>> schemes MAY limit the set of valid error codes to a subset of the > >>> registered values. If the error code is returned using a named > parameter, > >>> the parameter name SHOULD be "error". > >>> > >>> Other schemes capable of being used for OAuth token authentication, > but > >>> not primarily designed for that purpose, MAY bind their error values to > the > >>> registry in the same manner. > >>> > >>> EH > >>> > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org > >>> https://www.ietf.org/mailman/listinfo/oauth > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > >
- Re: [OAUTH-WG] Section 7.2 Mike Jones
- [OAUTH-WG] Section 7.2 Eran Hammer
- Re: [OAUTH-WG] Section 7.2 Eran Hammer
- Re: [OAUTH-WG] Section 7.2 Eran Hammer
- Re: [OAUTH-WG] Section 7.2 Mike Jones
- Re: [OAUTH-WG] Section 7.2 Eran Hammer
- Re: [OAUTH-WG] Section 7.2 William Mills
- Re: [OAUTH-WG] Section 7.2 Hannes Tschofenig
- Re: [OAUTH-WG] Section 7.2 Mike Jones
- Re: [OAUTH-WG] Section 7.2 Mike Jones
- Re: [OAUTH-WG] Section 7.2 Eran Hammer
- Re: [OAUTH-WG] Section 7.2 Mike Jones
- Re: [OAUTH-WG] Section 7.2 Hannes Tschofenig
- Re: [OAUTH-WG] Section 7.2 Eran Hammer