IETF Logo Mail Archive

Re: [OAUTH-WG] Section 7.2

Eran Hammer <eran@hueniverse.com> Mon, 18 June 2012 17:13 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6501121F86F2 for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 10:13:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.98
X-Spam-Level:
X-Spam-Status: No, score=-1.98 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LFybo2+uyoB0 for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 10:13:49 -0700 (PDT)
Received: from p3plex2out01.prod.phx3.secureserver.net (p3plex2out01.prod.phx3.secureserver.net [184.168.131.12]) by ietfa.amsl.com (Postfix) with ESMTP id 890C721F86F1 for <oauth@ietf.org>; Mon, 18 Jun 2012 10:13:49 -0700 (PDT)
Received: from P3PWEX2HT003.ex2.secureserver.net ([184.168.131.11]) by p3plex2out01.prod.phx3.secureserver.net with bizsmtp id PtDp1j0010EuLVk01tDpJk; Mon, 18 Jun 2012 10:13:49 -0700
Received: from P3PWEX2MB008.ex2.secureserver.net ([169.254.8.66]) by P3PWEX2HT003.ex2.secureserver.net ([184.168.131.11]) with mapi id 14.02.0247.003; Mon, 18 Jun 2012 10:13:48 -0700
From: Eran Hammer <eran@hueniverse.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Mike Jones <Michael.Jones@microsoft.com>
Thread-Topic: [OAUTH-WG] Section 7.2
Thread-Index: Ac1KeB4PVUuFMDsJRu+q5d/rw0G4WQAO9iAAAA6cN3AAHFVLIP/+3oCAgAT2VMD//6kPAA==
Date: Mon, 18 Jun 2012 17:13:47 +0000
Message-ID: <0CBAEB56DDB3A140BA8E8C124C04ECA201077203@P3PWEX2MB008.ex2.secureserver.net>
References: <0CBAEB56DDB3A140BA8E8C124C04ECA201073394@P3PWEX2MB008.ex2.secureserver.net> <4E1F6AAD24975D4BA5B1680429673943665394D7@TK5EX14MBXC284.redmond.corp.microsoft.com> <0CBAEB56DDB3A140BA8E8C124C04ECA2010734C5@P3PWEX2MB008.ex2.secureserver.net> <0CBAEB56DDB3A140BA8E8C124C04ECA201073573@P3PWEX2MB008.ex2.secureserver.net> <4E1F6AAD24975D4BA5B168042967394366539839@TK5EX14MBXC284.redmond.corp.microsoft.com> <3929B3F4-D3B3-4CAB-BB22-CFA5BFBBE8E5@gmx.net> <4E1F6AAD24975D4BA5B16804296739436654F446@TK5EX14MBXC283.redmond.corp.microsoft.com> <D8EF5B5C-56B6-4B17-8AB2-83DD116D9549@gmx.net>
In-Reply-To: <D8EF5B5C-56B6-4B17-8AB2-83DD116D9549@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [80.36.76.35]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Section 7.2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2012 17:13:50 -0000

Same as any SHOULD. Do it unless you have a good reason not to. We have plenty of other SHOULDs without any detailed explanation of the qualifications.

EH

> -----Original Message-----
> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]
> Sent: Monday, June 18, 2012 5:02 AM
> To: Mike Jones
> Cc: Hannes Tschofenig; Eran Hammer; oauth@ietf.org WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Section 7.2
> 
> Hi Mike,
> 
> this text below does not prohibit error information to be sent back to the
> client (otherwise there would be a MUST NOT).
> 
> So, if a developer reads this below then when should he send an error
> response and when not?
> 
> Ciao
> Hannes
> 
> PS: (I also believe that the "i.e." should rather be a "e.g." in the text below.)
> 
> On Jun 15, 2012, at 10:06 PM, Mike Jones wrote:
> 
> > There are cases where the OAuth specs specifically *prohibit* returning an
> error code or other error information, for security reasons.  For instance,
> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20#section-3.1
> contains the language:
> >
> >   If the request lacks any authentication information (i.e. the client
> >   was unaware authentication is necessary or attempted using an
> >   unsupported authentication method), the resource server SHOULD NOT
> >   include an error code or other error information.
> >
> > Hence, the SHOULDs, rather than MUSTs.
> >
> > 				-- Mike
> >
> > -----Original Message-----
> > From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]
> > Sent: Friday, June 15, 2012 11:28 AM
> > To: Mike Jones
> > Cc: Hannes Tschofenig; Eran Hammer; oauth@ietf.org WG
> (oauth@ietf.org)
> > Subject: Re: [OAUTH-WG] Section 7.2
> >
> > Hi Mike,
> >
> > I personally would find it better to have fewer SHOULDs. Most of them
> have been there for a long time and so it is a bit late to complain but the
> challenge for protocol architectures is to figure out under what conditions
> they should do certain things.
> 
> >
> > Additionally, I don't buy the argument that a server should not provide
> error responses (or to be only very brief, or even misleading) for a security
> point of view because attackers typically know more than ordinary
> developers or users and so you end up with a system that the normal user is
> unable to work with (in a failure case) but adversaries nevertheless get what
> they want. This comment relates to the first sentence that gives me the
> impression that the server may not send any error message in case of a
> failure, which sounds strange to me.
> >
> > Ciao
> > Hannes
> >
> > On Jun 15, 2012, at 4:15 AM, Mike Jones wrote:
> >
> >> Thanks for writing the text below.  It looks fine to me.  About adding the
> other error parameters as suggestions, that seems like a reasonable thing to
> do.  How about the text at the end below, which adds mentions of
> error_description and error_uri?
> >>
> >> 7.2.  Error Response
> >>
> >>   If a resource access request fails, the resource server SHOULD inform
> >>   the client of the error.  While the specifics of such error responses
> >>   are beyond the scope of this specification, this documents establishes
> >>   a common registry for error values to be shared among OAuth token
> >>   authentication schemes.
> >>
> >>   New authentication schemes designed primarily for OAuth token
> >>   authentication SHOULD define a mechanism for providing an
> >>   error status code to the client, in which the error values allowed are
> >>   registered in the error registry established by this specification. Such
> >>   schemes MAY limit the set of valid error codes to a subset of the
> >>   registered values. If the error code is returned using a named parameter,
> >>   the parameter name SHOULD be "error".
> >>
> >>   Other schemes capable of being used for OAuth token authentication,
> but
> >>   not primarily designed for that purpose, MAY bind their error values to
> the
> >>   registry in the same manner.
> >>
> >>   New authentication schemes MAY choose to also specify the use of the
> >>   "error_description" and "error_uri" parameters to return error
> information
> >>   in a manner parallel to their usage in this specification.
> >>
> >>
> >>                                                            -- Mike
> >>
> >> P.S.  If you already have the text you wrote in a copy of the draft, you
> should apply these spelling corrections:
> >>               desgined -> designed
> >>               authentiction -> authentication
> >>
> >> -----Original Message-----
> >> From: Eran Hammer [mailto:eran@hueniverse.com]
> >> Sent: Thursday, June 14, 2012 3:29 PM
> >> To: Eran Hammer; Mike Jones; oauth@ietf.org WG (oauth@ietf.org)
> >> Subject: RE: [OAUTH-WG] Section 7.2
> >>
> >> Mike - if you want to add the other error parameters as suggestions, that
> would be fine by me.
> >>
> >> EH
> >>
> >>> -----Original Message-----
> >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> >>> Behalf Of Eran Hammer
> >>> Sent: Thursday, June 14, 2012 3:23 PM
> >>> To: Mike Jones; oauth@ietf.org WG (oauth@ietf.org)
> >>> Subject: Re: [OAUTH-WG] Section 7.2
> >>>
> >>> 7.2.  Error Response
> >>>
> >>>   If a resource access request fails, the resource server SHOULD inform
> >>>   the client of the error.  While the specifics of such error responses
> >>>   are beyond the scope of this specification, this documents establishes
> >>>   a common registry for error values to be shared among OAuth token
> >>>   authentication schemes.
> >>>
> >>>   New authentication schemes desgined primarily for OAuth token
> >>>   authentiction SHOULD define a mechanism for providing an
> >>>   error status code to the client, in which the error values allowed are
> >>>   registered in the error registry established by this specification. Such
> >>>   schemes MAY limit the set of valid error codes to a subset of the
> >>>   registered values. If the error code is returned using a named
> parameter,
> >>>   the parameter name SHOULD be "error".
> >>>
> >>>   Other schemes capable of being used for OAuth token authentication,
> but
> >>>   not primarily designed for that purpose, MAY bind their error values to
> the
> >>>   registry in the same manner.
> >>>
> >>> EH
> >>>
> >>> _______________________________________________
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
> >
> >

v2.23.0 | Report a Bug | By Email