IETF Logo Mail Archive

Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"

Buhake Sindi <buhake@googlemail.com> Tue, 21 February 2012 11:43 UTC

Return-Path: <buhake@googlemail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7138021F8518 for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 03:43:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.092
X-Spam-Level:
X-Spam-Status: No, score=-2.092 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ZIWUOftEkmO for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 03:43:13 -0800 (PST)
Received: from mail-tul01m020-f172.google.com (mail-tul01m020-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7A46E21F8738 for <oauth@ietf.org>; Tue, 21 Feb 2012 03:43:13 -0800 (PST)
Received: by obbwd15 with SMTP id wd15so9713190obb.31 for <oauth@ietf.org>; Tue, 21 Feb 2012 03:43:13 -0800 (PST)
Received-SPF: pass (google.com: domain of buhake@googlemail.com designates 10.182.1.4 as permitted sender) client-ip=10.182.1.4;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of buhake@googlemail.com designates 10.182.1.4 as permitted sender) smtp.mail=buhake@googlemail.com; dkim=pass header.i=buhake@googlemail.com
Received: from mr.google.com ([10.182.1.4]) by 10.182.1.4 with SMTP id 4mr15266631obi.67.1329824593220 (num_hops = 1); Tue, 21 Feb 2012 03:43:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=+IteTQaILukErutIPyqRyERsAsAgHj07UuA2e/tvsl4=; b=kR1eYjH1qrdyMQ2JgBzFgX+4s7zUTQpNWOhgK69Gq6bcXseQAUCN4lSVBdJ09sAiwx QHGR8v0Ohp+7GQzlXcRpzsazgtyLWNpmA1epxjGyrHhBSp9/gxIkM0EPxVPTleEXCUGr /579y9wjwLZ8f0mx4UcGTEPFHrz6ol8uXv3Sg=
Received: by 10.182.1.4 with SMTP id 4mr13001519obi.67.1329824593158; Tue, 21 Feb 2012 03:43:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.62.231 with HTTP; Tue, 21 Feb 2012 03:42:53 -0800 (PST)
In-Reply-To: <CABUp4f5iFgotOM1BE8StwbXY6+494Q+DEsi5vTOWpBYzFJyg-w@mail.gmail.com>
References: <58932B8B-2DDE-41D6-A91B-5036CC762C00@matake.jp> <1329757027.28055.YahooMailNeo@web31808.mail.mud.yahoo.com> <4F4284DD.3030006@alcatel-lucent.com> <1329798149.78115.YahooMailNeo@web31804.mail.mud.yahoo.com> <56F7111A-B65E-459A-BB8A-ED87CDF1EB4A@gmail.com> <CABUp4f5iFgotOM1BE8StwbXY6+494Q+DEsi5vTOWpBYzFJyg-w@mail.gmail.com>
From: Buhake Sindi <buhake@googlemail.com>
Date: Tue, 21 Feb 2012 13:42:53 +0200
Message-ID: <CABUp4f5AB5QHfRUn=FsAn-tinS6+M-aQ6ezx2oQw9n3VthPkOw@mail.gmail.com>
To: "matake@gmail" <matake@gmail.com>
Content-Type: multipart/alternative; boundary="f46d0447a0bd7d22c604b977ea6b"
X-Mailman-Approved-At: Tue, 21 Feb 2012 07:15:22 -0800
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2012 11:43:17 -0000

Oops. Sorry, I believe I should have said, case 2.

And why is case 2 impossible? The only time case 1 is valid in the
redirect_uri is invalid.

Buhake Sindi

On 21 February 2012 13:40, Buhake Sindi <buhake@googlemail.com> wrote:

> Hi guys,
>
> OAuth 2, Draft 23, Paragraph 4.1.2.1 clearly states:
>
> If the request fails due to a missing, invalid, or mismatching redirection
>> URI, or if the client
>> identifier is missing or invalid, the authorization server SHOULD inform
>> the resource owner of
>> the error, and MUST NOT automatically redirect the user-agent to the
>> invalid redirection URI.
>>
>
> So, Case 1 is the only accepted case here.
>
> Buhake Sindi
>
>
> On 21 February 2012 13:34, matake@gmail <matake@gmail.com> wrote:
>
>> So the answer is "Show the error to the user without redirecting back to
>> the client", right?
>> I'm now developing OAuth2 and OpenID Connect ruby library, and both of
>> them return errors
>>
>> case 1. redirect with error in query if response_type is "code" but it's
>> not supported
>> case 2. redirect with error in fragment if response_type is "token code",
>> "token id_token", "token code id_token" or "code id_token" but it's not
>> supported
>> case 3. otherwise show error to the user without redirect since server
>> cannot understand the response_type at all
>>
>> But other server might not understand some of response_types listed in
>> case 2 at all and choose case 3 in such case.
>> (ie. OAuth servers which don't understand OpenID Connect won't understand
>> "id_token")
>>
>> So I'm afraid that it reduces interoperability, a bit.
>>
>> On 2012/02/21, at 13:22, William Mills wrote:
>>
>> I does allow some parts of your server config to be discovered.  More of
>> a problem in error responses is usually echoing back the user data, or
>> allowing user enumeration for example.  Care is required, but you don't
>> have a ton of options here.
>>
>>   ------------------------------
>> *From:* Igor Faynberg <igor.faynberg@alcatel-lucent.com>
>> *To:* oauth@ietf.org
>> *Sent:* Monday, February 20, 2012 9:37 AM
>> *Subject:* Re: [OAUTH-WG] Quick question about error response for
>> "response_type=unknown"
>>
>>  Could there be a potential security hole in providing an error
>> response?  (Not that I see it, but many problems in the past had been
>> caused by helpful responese.)
>>
>> Igor
>>
>> On 2/20/2012 11:57 AM, William Mills wrote:
>>
>>  Respond with an error in protocol.  Thta won't include a redirect, and
>> the client has to know what to do.
>>
>>    ------------------------------
>> *From:* nov matake <nov@matake.jp> <nov@matake.jp>
>> *To:* oauth WG <oauth@ietf.org> <oauth@ietf.org>
>> *Sent:* Monday, February 20, 2012 6:11 AM
>> *Subject:* [OAUTH-WG] Quick question about error response for
>> "response_type=unknown"
>>
>> Hi OAuthers,
>>
>> My apologies if you already discussed this.
>>
>> When OAuth server received unknown response_type, how should the server
>> handle the error?
>>
>> 1. Show the error to the user without redirecting back to the client
>> 2. Redirect back to the client including the error in query
>> 3. Redirect back to the client including the error in fragment
>>
>> Since choosing 2 or 3 is impossible in this case, 1 seems reasonable for
>> me.
>>
>>
>> --
>> nov
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>  _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>
>
>


-- 
The Elite Gentleman

v2.23.0 | Report a Bug | By Email