[OAUTH-WG] conflict: error response invalid_request and state parameter duplication

Alexey Skolyarov <alexey.skolyarov@dins.ru> Mon, 19 December 2011 12:41 UTC

Return-Path: <alexey.skolyarov@dins.ru>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D984221F8B68 for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 04:41:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.472
X-Spam-Level: *
X-Spam-Status: No, score=1.472 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ZYHOSD+2UBbt for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 04:41:29 -0800 (PST)
Received: from smtp01.dins.ru (smtp01.dins.ru []) by ietfa.amsl.com (Postfix) with ESMTP id 7A4FE21F8B67 for <oauth@ietf.org>; Mon, 19 Dec 2011 04:41:28 -0800 (PST)
Received: from mail01.dins.ru (ru-led-qatas01ac.dins.ru []) by smtp01.dins.ru (Postfix) with ESMTP id 0443ADB49D9 for <oauth@ietf.org>; Mon, 19 Dec 2011 15:41:25 +0300 (MSK)
Received: from MS2.corp.dins.ru ([fe80::f022:21e1:10a0:b75e]) by HUB1.corp.dins.ru ([fe80::58ae:e620:6b29:a68b%11]) with mapi id 14.01.0355.002; Mon, 19 Dec 2011 16:41:27 +0400
From: Alexey Skolyarov <alexey.skolyarov@dins.ru>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: conflict: error response invalid_request and state parameter duplication
Thread-Index: Acy+S4VYvA+l6ZnUQliB5+O9EKnZ7Q==
Date: Mon, 19 Dec 2011 12:41:25 +0000
Message-ID: <0433F58A304676408A8AF95199AFEB97CC1506@MS2.corp.dins.ru>
Accept-Language: ru-RU, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_0433F58A304676408A8AF95199AFEB97CC1506MS2corpdinsru_"
MIME-Version: 1.0
Subject: [OAUTH-WG] conflict: error response invalid_request and state parameter duplication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2011 12:41:30 -0000

Hello everybody,

Since this is my first post on this list, I’ll say few words about whoami:
My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I’m interested in OAuth2 because I found no v2 providers for Jersey<http://jersey.java.net/> except Spring Security which is much more complex than 1.0a implementation in Jersey-contrib. Currently I’m under NDA, so I can’t say more ☹

Nevertheless we’ve done specification study and found a conflict – in last paragraph of section 3.1. "Authorization Endpoint"<http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.1> it is mentioned that “Request and response parameters MUST NOT be included more than once”.
This statement conflicts with state parameter definition in section "Error response"<http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section->, where it’s said that state is “REQUIRED if a valid "state" parameter was present in the client  authorization request.  The exact value received from the client”.

How passing state=QWE&state=ASD inside same request should be handled then?

From one hand it is forbidden to process requests with multiple parameter occurrences.
But from another hand Specification requires to pass the state if it was found in a request.
Violation of any of these statements can be treated as “partial compliance” to draft-22, so I’m in doubt what way is preferred there.

What do you guys think?

Thanks in advance.
Best regards, Alexey Skolyarov