Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
Justin Richer <jricher@mitre.org> Mon, 19 December 2011 15:01 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECC7421F8AC9 for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 07:01:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n4ZNjz5V7lNW for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 07:01:50 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4B02621F8A7E for <oauth@ietf.org>; Mon, 19 Dec 2011 07:01:50 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 830C621B152D; Mon, 19 Dec 2011 10:01:49 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 37EE121B156C; Mon, 19 Dec 2011 10:01:49 -0500 (EST)
Received: from [129.83.50.8] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.1.339.1; Mon, 19 Dec 2011 10:01:48 -0500
Message-ID: <4EEF51BE.7080202@mitre.org>
Date: Mon, 19 Dec 2011 10:01:18 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: Alexey Skolyarov <alexey.skolyarov@dins.ru>
References: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru> <CABUp4f6Y=cvgM8T0VjuMo3RBC8Q4ru_QtT8Mg+_njud9kC7OOg@mail.gmail.com> <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru>
In-Reply-To: <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru>
Content-Type: multipart/alternative; boundary="------------010902070007010909090108"
X-Originating-IP: [129.83.31.51]
Cc: "oauth@ietf.org" <oauth@ietf.org>, Buhake Sindi <buhake@googlemail.com>
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2011 15:01:53 -0000
The spec already says that you can't repeat request parameters on the
line like that, so that's an invalid_request error, as described in
section 5.2:
5.2. Error Response
The authorization server responds with an HTTP 400 (Bad Request)
status code and includes the following parameters with the response:
error
REQUIRED. A single error code from the following:
invalid_request
The request is missing a required parameter, includes an
unsupported parameter value, repeats a parameter,
includes multiple credentials, utilizes more than one
mechanism for authenticating the client, or is otherwise
malformed.
-- Justin
On 12/19/2011 08:20 AM, Alexey Skolyarov wrote:
>
> Hello Buhake,
>
> Thanks for your answer!
>
> It seems I should explain a bit here -- I'm not about how to pass the
> state with multiple values, I'm trying to figure out how the
> OAuth-2.0-draft-22 -- compliant server should respond on duplication
> of state request parameter.
>
> For instance what should be returned in response on following request:
>
> GET
> /authorize?response_type=code&client_id=s6BhdRkqt3&*state=QWE*&*state=ASD*&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
> HTTP/1.1
>
> Host: server.example.com
>
> It's unclear for me should it be
>
> HTTP/1.1 302 Found
>
> Location: https://client.example.com/cb?error=invalid_request (without
> the state completely -- seems to be wrong beforehand)
>
> or
>
> HTTP/1.1 302 Found
>
> Location:
> https://client.example.com/cb?error=invalid_request&state=QWE( or ASD
> - one of passed states used)
>
> or
>
> HTTP/1.1 302 Found
>
> Location:
> https://client.example.com/cb?error=invalid_request&state=QWE%20ASD
> (both but violates the idea that state should be kept unchanged).
>
> I hope this example could make my question clearer.
>
> Thanks in advance.
>
> --
> Best regards, Alexey Skolyarov
>
> *From:*Buhake Sindi [mailto:buhake@googlemail.com]
> *Sent:* Monday, December 19, 2011 4:53 PM
> *To:* Alexey Skolyarov
> *Subject:* Re: [OAUTH-WG] conflict: error response invalid_request and
> state parameter duplication
>
> Hi Alexey,
>
> If I'm not mistaken, to declare multiple values in "state", the
> document states that it should be space-delimited (" "). This is
> unlike Facebook state which is comma-delimited.
>
> On 19 December 2011 14:41, Alexey Skolyarov <alexey.skolyarov@dins.ru
> <mailto:alexey.skolyarov@dins.ru>> wrote:
>
> Hello everybody,
>
> Since this is my first post on this list, I'll say few words about whoami:
>
> My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I'm
> interested in OAuth2 because I found no v2 providers for Jersey
> <http://jersey.java.net/> except Spring Security which is much more
> complex than 1.0a implementation in Jersey-contrib. Currently I'm
> under NDA, so I can't say more L
>
> Nevertheless we've done specification study and found a conflict -- in
> last paragraph of section 3.1. "Authorization Endpoint"
> <http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.1> it is
> mentioned that "/Request and response parameters MUST NOT be included
> more than once/".
>
> This statement conflicts with /state/ parameter definition in section
> 4.1.2.1 "Error response"
> <http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1.2.1>,
> where it's said that state is "/REQUIRED if a valid "state" parameter
> was present in the client authorization request. The exact value
> received from the client/".
>
> How passing /state=QWE&state=ASD/ inside same request should be
> handled then?
>
> From one hand it is forbidden to process requests with multiple
> parameter occurrences.
>
> But from another hand Specification requires to pass the state if it
> was found in a request.
>
> Violation of any of these statements can be treated as "partial
> compliance" to draft-22, so I'm in doubt what way is preferred there.
>
> What do you guys think?
>
> Thanks in advance.
>
> --
> Best regards, Alexey Skolyarov
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> --
> The Elite Gentleman
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] conflict: error response invalid_reque… Alexey Skolyarov
- Re: [OAUTH-WG] conflict: error response invalid_r… Alexey Skolyarov
- Re: [OAUTH-WG] conflict: error response invalid_r… Justin Richer
- Re: [OAUTH-WG] conflict: error response invalid_r… Alexey Skolyarov
- Re: [OAUTH-WG] conflict: error response invalid_r… Justin Richer
- Re: [OAUTH-WG] conflict: error response invalid_r… Alexey Skolyarov