IETF Logo Mail Archive

Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication

Alexey Skolyarov <alexey.skolyarov@dins.ru> Mon, 19 December 2011 13:20 UTC

Return-Path: <alexey.skolyarov@dins.ru>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 275F621F8B6D for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 05:20:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.172
X-Spam-Level:
X-Spam-Status: No, score=0.172 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dNVzgmHtUdS6 for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 05:20:10 -0800 (PST)
Received: from smtp01.dins.ru (smtp01.dins.ru [193.104.181.104]) by ietfa.amsl.com (Postfix) with ESMTP id 3B83021F8B73 for <oauth@ietf.org>; Mon, 19 Dec 2011 05:20:09 -0800 (PST)
Received: from mail01.dins.ru (ru-led-qatas01ac.dins.ru [192.168.12.108]) by smtp01.dins.ru (Postfix) with ESMTP id 8CB90DB49D9; Mon, 19 Dec 2011 16:20:05 +0300 (MSK)
Received: from MS2.corp.dins.ru ([fe80::f022:21e1:10a0:b75e]) by HUB1.corp.dins.ru ([fe80::58ae:e620:6b29:a68b%11]) with mapi id 14.01.0355.002; Mon, 19 Dec 2011 17:20:07 +0400
From: Alexey Skolyarov <alexey.skolyarov@dins.ru>
To: Buhake Sindi <buhake@googlemail.com>
Thread-Topic: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
Thread-Index: Acy+S4VYvA+l6ZnUQliB5+O9EKnZ7f//wDsA//+4skA=
Date: Mon, 19 Dec 2011 13:20:07 +0000
Message-ID: <0433F58A304676408A8AF95199AFEB97CC157D@MS2.corp.dins.ru>
References: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru> <CABUp4f6Y=cvgM8T0VjuMo3RBC8Q4ru_QtT8Mg+_njud9kC7OOg@mail.gmail.com>
In-Reply-To: <CABUp4f6Y=cvgM8T0VjuMo3RBC8Q4ru_QtT8Mg+_njud9kC7OOg@mail.gmail.com>
Accept-Language: ru-RU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.14.189]
Content-Type: multipart/alternative; boundary="_000_0433F58A304676408A8AF95199AFEB97CC157DMS2corpdinsru_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2011 13:20:11 -0000

Hello Buhake,

Thanks for your answer!
It seems I should explain a bit here – I’m not about how to pass the state with multiple values, I’m trying to figure out how the OAuth-2.0-draft-22 – compliant server should respond on duplication of state request parameter.

For instance what should be returned in response on following request:
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=QWE&state=ASD&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com

It’s unclear for me should it be
HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=invalid_request (without the state completely – seems to be wrong beforehand)
or
HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=invalid_request&state=QWE ( or ASD - one of passed states used)
or
HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=invalid_request&state=QWE%20ASD (both but violates the idea that state should be kept unchanged).

I hope this example could make my question clearer.

Thanks in advance.
--
Best regards, Alexey Skolyarov


From: Buhake Sindi [mailto:buhake@googlemail.com]
Sent: Monday, December 19, 2011 4:53 PM
To: Alexey Skolyarov
Subject: Re: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication

Hi Alexey,

If I'm not mistaken, to declare multiple values in "state", the document states that it should be space-delimited (" "). This is unlike Facebook state which is comma-delimited.
On 19 December 2011 14:41, Alexey Skolyarov <alexey.skolyarov@dins.ru<mailto:alexey.skolyarov@dins.ru>> wrote:
Hello everybody,

Since this is my first post on this list, I’ll say few words about whoami:
My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I’m interested in OAuth2 because I found no v2 providers for Jersey<http://jersey.java.net/> except Spring Security which is much more complex than 1.0a implementation in Jersey-contrib. Currently I’m under NDA, so I can’t say more ☹

Nevertheless we’ve done specification study and found a conflict – in last paragraph of section 3.1. "Authorization Endpoint"<http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.1> it is mentioned that “Request and response parameters MUST NOT be included more than once”.
This statement conflicts with state parameter definition in section 4.1.2.1 "Error response"<http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1.2.1>, where it’s said that state is “REQUIRED if a valid "state" parameter was present in the client  authorization request.  The exact value received from the client”.

How passing state=QWE&state=ASD inside same request should be handled then?

From one hand it is forbidden to process requests with multiple parameter occurrences.
But from another hand Specification requires to pass the state if it was found in a request.
Violation of any of these statements can be treated as “partial compliance” to draft-22, so I’m in doubt what way is preferred there.

What do you guys think?

Thanks in advance.
--
Best regards, Alexey Skolyarov


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
The Elite Gentleman

v2.23.0 | Report a Bug | By Email