Re: [OAUTH-WG] WRAP session fixation?
Brian Eaton <beaton@google.com> Wed, 25 November 2009 02:18 UTC
Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E799928C173 for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 18:18:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RUMaJrY2nlYT for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 18:18:06 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.45.13]) by core3.amsl.com (Postfix) with ESMTP id EFF4A28C172 for <oauth@ietf.org>; Tue, 24 Nov 2009 18:18:05 -0800 (PST)
Received: from spaceape10.eur.corp.google.com (spaceape10.eur.corp.google.com [172.28.16.144]) by smtp-out.google.com with ESMTP id nAP2Hx3T026793 for <oauth@ietf.org>; Tue, 24 Nov 2009 18:18:00 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1259115480; bh=7NZM8QZ4S8K/73X5/EyrJYDC3/M=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=ppvxwuTnzV7wv0TKwe6ouTht4yb5H4FYN7Pdat7uR4to9iiM94RMB0X3sIjTU6Scu axOu5YW9p5QHhgUjpwbIg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=IFs+DrJRY3lc5tSB73IL9HQLA71I9Yga45fZpC/iRca8Z7rtxbaa0w/qvdW3UXhe4 o9pmQOFx/odcaqe9ESxaw==
Received: from pxi38 (pxi38.prod.google.com [10.243.27.38]) by spaceape10.eur.corp.google.com with ESMTP id nAP2HtoA028446 for <oauth@ietf.org>; Tue, 24 Nov 2009 18:17:56 -0800
Received: by pxi38 with SMTP id 38so5122014pxi.10 for <oauth@ietf.org>; Tue, 24 Nov 2009 18:17:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.128.9 with SMTP id a9mr438010rvd.146.1259115475188; Tue, 24 Nov 2009 18:17:55 -0800 (PST)
In-Reply-To: <C731D315.18C2C%lshepard@facebook.com>
References: <daf5b9570911241758p35206df7xf7bf7f245087f726@mail.gmail.com> <C731D315.18C2C%lshepard@facebook.com>
Date: Tue, 24 Nov 2009 18:17:54 -0800
Message-ID: <daf5b9570911241817p3572e747gbc5e359b0bcd9df1@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Luke Shepard <lshepard@facebook.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: Brent Goldman <brent@facebook.com>, Naitik Shah <naitik@facebook.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WRAP session fixation?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 02:18:07 -0000
On Tue, Nov 24, 2009 at 6:14 PM, Luke Shepard <lshepard@facebook.com> wrote: > Yup, that’s basically what we do today- throw an error and don’t return. But > this is less than ideal. > > We have discussed that we’d probably like to return, but with an error > message. This would be in section 5.4.4 of the spec (“Authorization server > directs user back to the client”) we would like to pass additional > parameters for the error message- something other than user_denied, but > which indicates that the application was just misconfigured. I guess it depends on the business requirements that led to callback URL preregistration. Some sites require callback URL registration so they don't need to redirect to unknown third-party sites... in which case redirecting with an error message doesn't really fix the issue. Other sites require callback URL registration for security reasons, in which case an error message is just fine. Cheers, Brian
- [OAUTH-WG] WRAP session fixation? Brian Eaton
- Re: [OAUTH-WG] WRAP session fixation? Michael Malone
- Re: [OAUTH-WG] WRAP session fixation? Brian Eaton
- Re: [OAUTH-WG] WRAP session fixation? Brian Eaton
- Re: [OAUTH-WG] WRAP session fixation? Luke Shepard
- Re: [OAUTH-WG] WRAP session fixation? Brent Goldman
- Re: [OAUTH-WG] WRAP session fixation? Mike Malone