IETF Logo Mail Archive

Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"

John Bradley <ve7jtb@ve7jtb.com> Tue, 21 February 2012 15:45 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A234121F8738 for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 07:45:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.08
X-Spam-Level:
X-Spam-Status: No, score=-3.08 tagged_above=-999 required=5 tests=[AWL=-0.366, BAYES_00=-2.599, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2WikuJF3RbKS for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 07:45:38 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0E95721F867D for <oauth@ietf.org>; Tue, 21 Feb 2012 07:45:37 -0800 (PST)
Received: by ggnq2 with SMTP id q2so3396296ggn.31 for <oauth@ietf.org>; Tue, 21 Feb 2012 07:45:35 -0800 (PST)
Received-SPF: pass (google.com: domain of ve7jtb@ve7jtb.com designates 10.236.79.202 as permitted sender) client-ip=10.236.79.202;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of ve7jtb@ve7jtb.com designates 10.236.79.202 as permitted sender) smtp.mail=ve7jtb@ve7jtb.com
Received: from mr.google.com ([10.236.79.202]) by 10.236.79.202 with SMTP id i50mr36256479yhe.61.1329839135916 (num_hops = 1); Tue, 21 Feb 2012 07:45:35 -0800 (PST)
Received: by 10.236.79.202 with SMTP id i50mr28066133yhe.61.1329839135823; Tue, 21 Feb 2012 07:45:35 -0800 (PST)
Received: from [192.168.1.213] ([190.22.94.172]) by mx.google.com with ESMTPS id g49sm55045248yhk.20.2012.02.21.07.45.31 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 21 Feb 2012 07:45:34 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_8D816D36-E2DF-4FBA-9E49-47377856BD63"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <5FC99886-A2D2-4AC0-93E1-4E07B803DDCD@gmail.com>
Date: Tue, 21 Feb 2012 12:45:28 -0300
Message-Id: <48442479-4DC3-498C-A8C1-0358CB88F743@ve7jtb.com>
References: <58932B8B-2DDE-41D6-A91B-5036CC762C00@matake.jp> <1329757027.28055.YahooMailNeo@web31808.mail.mud.yahoo.com> <4F4284DD.3030006@alcatel-lucent.com> <1329798149.78115.YahooMailNeo@web31804.mail.mud.yahoo.com> <56F7111A-B65E-459A-BB8A-ED87CDF1EB4A@gmail.com> <923A754A-100F-4534-BEBB-7EC5E6297B9E@ve7jtb.com> <5FC99886-A2D2-4AC0-93E1-4E07B803DDCD@gmail.com>
To: "matake@gmail" <matake@gmail.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQl76ltuKgK7any2Qnq0t4YkhEuQiy2gHAD/Ugj3vdF+kgL3oikApPicmUDysliBhmsGCYI5
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2012 15:45:42 -0000

Assuming that the preconditions of client_id and redirect_uri being correct are met, and only the response_type is unsupported but known, you would reply to the client in the appropriate way.

If the response_type is unknown then I think the only reasonable thing is to report the error to the resource owner without a redirect. 

This is only my interpretation of the spec.   The OAuth spec is silent on this particular case.

John
On 2012-02-21, at 12:11 PM, matake@gmail wrote:

> So only when sever understand the response_type but doesn't support it, it returns "unsupported_response_type" error.
> It sounds reasonable for me.
> 
> It will make some servers return "unsupported_response_type" with a redirect and some don't, though.
> 
> Thanks.
> 
> On 2012/02/21, at 23:07, John Bradley wrote:
> 
>> If the Authorization server, doesn't understand the response_type and has no other way to determine what sort of flow the client is expecting, I don't see any choice other than returning a error to the user/browser.
>> 
>> In the case of an unknown response_type the client could also be expecting postMessage, or making a direct connection.  You just don't know.
>> 
>> There may be cases that the Authorization server could infer how to reply based on the client_id, if the client perhaps doesn't have a client secret issued to it, you could guess that it is using a fragment encoded flow.
>> 
>> I however don't know that guessing is a good practice.   Probably best to always return an error response without a redirect.
>> 
>> John B.
>> On 2012-02-21, at 8:34 AM, matake@gmail wrote:
>> 
>>> So the answer is "Show the error to the user without redirecting back to the client", right?
>>> I'm now developing OAuth2 and OpenID Connect ruby library, and both of them return errors
>>> 
>>> case 1. redirect with error in query if response_type is "code" but it's not supported
>>> case 2. redirect with error in fragment if response_type is "token code", "token id_token", "token code id_token" or "code id_token" but it's not supported
>>> case 3. otherwise show error to the user without redirect since server cannot understand the response_type at all
>>> 
>>> But other server might not understand some of response_types listed in case 2 at all and choose case 3 in such case.
>>> (ie. OAuth servers which don't understand OpenID Connect won't understand "id_token")
>>> 
>>> So I'm afraid that it reduces interoperability, a bit.
>>> 
>>> On 2012/02/21, at 13:22, William Mills wrote:
>>> 
>>>> I does allow some parts of your server config to be discovered.  More of a problem in error responses is usually echoing back the user data, or allowing user enumeration for example.  Care is required, but you don't have a ton of options here.
>>>> 
>>>> From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
>>>> To: oauth@ietf.org 
>>>> Sent: Monday, February 20, 2012 9:37 AM
>>>> Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
>>>> 
>>>> Could there be a potential security hole in providing an error response?  (Not that I see it, but many problems in the past had been caused by helpful responese.)
>>>> 
>>>> Igor
>>>> 
>>>> On 2/20/2012 11:57 AM, William Mills wrote:
>>>>> 
>>>>> Respond with an error in protocol.  Thta won't include a redirect, and the client has to know what to do.
>>>>> 
>>>>> From: nov matake <nov@matake.jp>
>>>>> To: oauth WG <oauth@ietf.org> 
>>>>> Sent: Monday, February 20, 2012 6:11 AM
>>>>> Subject: [OAUTH-WG] Quick question about error response for "response_type=unknown"
>>>>> 
>>>>> Hi OAuthers,
>>>>> 
>>>>> My apologies if you already discussed this.
>>>>> 
>>>>> When OAuth server received unknown response_type, how should the server handle the error?
>>>>> 
>>>>> 1. Show the error to the user without redirecting back to the client
>>>>> 2. Redirect back to the client including the error in query
>>>>> 3. Redirect back to the client including the error in fragment
>>>>> 
>>>>> Since choosing 2 or 3 is impossible in this case, 1 seems reasonable for me.
>>>>> 
>>>>> 
>>>>> --
>>>>> nov
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>

v2.23.0 | Report a Bug | By Email