IETF Logo Mail Archive

Re: [OAUTH-WG] Section 7.2

Mike Jones <Michael.Jones@microsoft.com> Fri, 15 June 2012 19:06 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FED521F8541 for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 12:06:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.765
X-Spam-Level:
X-Spam-Status: No, score=-3.765 tagged_above=-999 required=5 tests=[AWL=-0.166, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jscfh53Ljxi2 for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 12:06:55 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe004.messaging.microsoft.com [216.32.181.184]) by ietfa.amsl.com (Postfix) with ESMTP id 1CC9D21F8540 for <oauth@ietf.org>; Fri, 15 Jun 2012 12:06:55 -0700 (PDT)
Received: from mail229-ch1-R.bigfish.com (10.43.68.250) by CH1EHSOBE018.bigfish.com (10.43.70.68) with Microsoft SMTP Server id 14.1.225.23; Fri, 15 Jun 2012 19:05:42 +0000
Received: from mail229-ch1 (localhost [127.0.0.1]) by mail229-ch1-R.bigfish.com (Postfix) with ESMTP id 9CDC7F4044C; Fri, 15 Jun 2012 19:05:42 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -29
X-BigFish: VS-29(zz98dI9371I148cI542M1432Izz1202hzz1033IL8275dhz2fh2a8h668h839h944hd25hf0ah)
Received-SPF: pass (mail229-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC107.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail229-ch1 (localhost.localdomain [127.0.0.1]) by mail229-ch1 (MessageSwitch) id 1339787140194639_13327; Fri, 15 Jun 2012 19:05:40 +0000 (UTC)
Received: from CH1EHSMHS020.bigfish.com (snatpool3.int.messaging.microsoft.com [10.43.68.229]) by mail229-ch1.bigfish.com (Postfix) with ESMTP id 231471440046; Fri, 15 Jun 2012 19:05:40 +0000 (UTC)
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS020.bigfish.com (10.43.70.20) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 15 Jun 2012 19:05:38 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.53]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.02.0309.003; Fri, 15 Jun 2012 19:06:34 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] Section 7.2
Thread-Index: AQHNSnlK4rMFHIKNpEG6QNgV8mtEhJb6Y6gAgAABoQCAACqMcIABJHCAgAAKNEA=
Date: Fri, 15 Jun 2012 19:06:33 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436654F446@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <0CBAEB56DDB3A140BA8E8C124C04ECA201073394@P3PWEX2MB008.ex2.secureserver.net> <4E1F6AAD24975D4BA5B1680429673943665394D7@TK5EX14MBXC284.redmond.corp.microsoft.com> <0CBAEB56DDB3A140BA8E8C124C04ECA2010734C5@P3PWEX2MB008.ex2.secureserver.net> <0CBAEB56DDB3A140BA8E8C124C04ECA201073573@P3PWEX2MB008.ex2.secureserver.net> <4E1F6AAD24975D4BA5B168042967394366539839@TK5EX14MBXC284.redmond.corp.microsoft.com> <3929B3F4-D3B3-4CAB-BB22-CFA5BFBBE8E5@gmx.net>
In-Reply-To: <3929B3F4-D3B3-4CAB-BB22-CFA5BFBBE8E5@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Section 7.2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 19:06:56 -0000

There are cases where the OAuth specs specifically *prohibit* returning an error code or other error information, for security reasons.  For instance, http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20#section-3.1 contains the language:

   If the request lacks any authentication information (i.e. the client
   was unaware authentication is necessary or attempted using an
   unsupported authentication method), the resource server SHOULD NOT
   include an error code or other error information.

Hence, the SHOULDs, rather than MUSTs.

				-- Mike

-----Original Message-----
From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] 
Sent: Friday, June 15, 2012 11:28 AM
To: Mike Jones
Cc: Hannes Tschofenig; Eran Hammer; oauth@ietf.org WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Section 7.2

Hi Mike, 

I personally would find it better to have fewer SHOULDs. Most of them have been there for a long time and so it is a bit late to complain but the challenge for protocol architectures is to figure out under what conditions they should do certain things. 

Additionally, I don't buy the argument that a server should not provide error responses (or to be only very brief, or even misleading) for a security point of view because attackers typically know more than ordinary developers or users and so you end up with a system that the normal user is unable to work with (in a failure case) but adversaries nevertheless get what they want. This comment relates to the first sentence that gives me the impression that the server may not send any error message in case of a failure, which sounds strange to me. 

Ciao
Hannes

On Jun 15, 2012, at 4:15 AM, Mike Jones wrote:

> Thanks for writing the text below.  It looks fine to me.  About adding the other error parameters as suggestions, that seems like a reasonable thing to do.  How about the text at the end below, which adds mentions of error_description and error_uri?
>  
> 7.2.  Error Response
>  
>    If a resource access request fails, the resource server SHOULD inform
>    the client of the error.  While the specifics of such error responses
>    are beyond the scope of this specification, this documents establishes
>    a common registry for error values to be shared among OAuth token
>    authentication schemes.
>  
>    New authentication schemes designed primarily for OAuth token
>    authentication SHOULD define a mechanism for providing an
>    error status code to the client, in which the error values allowed are
>    registered in the error registry established by this specification. Such
>    schemes MAY limit the set of valid error codes to a subset of the
>    registered values. If the error code is returned using a named parameter,
>    the parameter name SHOULD be "error".
>  
>    Other schemes capable of being used for OAuth token authentication, but
>    not primarily designed for that purpose, MAY bind their error values to the
>    registry in the same manner.
>  
>    New authentication schemes MAY choose to also specify the use of the
>    "error_description" and "error_uri" parameters to return error information
>    in a manner parallel to their usage in this specification.
>  
>  
>                                                             -- Mike
>  
> P.S.  If you already have the text you wrote in a copy of the draft, you should apply these spelling corrections:
>                desgined -> designed
>                authentiction -> authentication
>  
> -----Original Message-----
> From: Eran Hammer [mailto:eran@hueniverse.com]
> Sent: Thursday, June 14, 2012 3:29 PM
> To: Eran Hammer; Mike Jones; oauth@ietf.org WG (oauth@ietf.org)
> Subject: RE: [OAUTH-WG] Section 7.2
>  
> Mike - if you want to add the other error parameters as suggestions, that would be fine by me.
>  
> EH
>  
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On 
> > Behalf Of Eran Hammer
> > Sent: Thursday, June 14, 2012 3:23 PM
> > To: Mike Jones; oauth@ietf.org WG (oauth@ietf.org)
> > Subject: Re: [OAUTH-WG] Section 7.2
> >
> > 7.2.  Error Response
> >
> >    If a resource access request fails, the resource server SHOULD inform
> >    the client of the error.  While the specifics of such error responses
> >    are beyond the scope of this specification, this documents establishes
> >    a common registry for error values to be shared among OAuth token
> >    authentication schemes.
> >
> >    New authentication schemes desgined primarily for OAuth token
> >    authentiction SHOULD define a mechanism for providing an
> >    error status code to the client, in which the error values allowed are
> >    registered in the error registry established by this specification. Such
> >    schemes MAY limit the set of valid error codes to a subset of the
> >    registered values. If the error code is returned using a named parameter,
> >    the parameter name SHOULD be "error".
> >
> >    Other schemes capable of being used for OAuth token authentication, but
> >    not primarily designed for that purpose, MAY bind their error values to the
> >    registry in the same manner.
> >
> > EH
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email