Re: [OAUTH-WG] Adding machine readable errors to SPOP?

Nat Sakimura <sakimura@gmail.com> Fri, 14 November 2014 20:23 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BF8C1AC39D for <oauth@ietfa.amsl.com>; Fri, 14 Nov 2014 12:23:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SBOBANBuODnM for <oauth@ietfa.amsl.com>; Fri, 14 Nov 2014 12:23:28 -0800 (PST)
Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 815B91ABD37 for <oauth@ietf.org>; Fri, 14 Nov 2014 12:23:28 -0800 (PST)
Received: by mail-ie0-f177.google.com with SMTP id tp5so18633452ieb.36 for <oauth@ietf.org>; Fri, 14 Nov 2014 12:23:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:from:date:message-id:subject:to:cc :content-type; bh=oxPukLzxz5q0EwvhLaJCxOGO4PpFJ3iIQyuyga8L4XQ=; b=oRe+Uli1G2Omy9Lz80EQrXQVgU6l4fdOtRHPyLSF55D+yYDGusxjS0ahPBVcgM2S1A YbaqHOACjQSseUXBSsnaBnbFi0wAyaeBfRhe7omhJAeyChvJJp70bmX5CIU2CSv5jZq8 r75A0ICcwABu2CplEoovfF9E2MvEa0vcXMBbxtDaIJ7FIQNmRX1NTvXMbXZq3hYqVKkf /RxAylECGwSR2NTO4lcU7p7IkIY+TiP5Lj8iwMlFf0ff7Rcj64jEqaJJJmpE4wjsT+Vm 4Y2jar69wELC1suu8nZuO80ZoY7WndEM6jiuXsJOjDCiAYIdvk+Hso8hhSATscguHu6k mNeQ==
X-Received: by 10.107.11.67 with SMTP id v64mr4348808ioi.76.1415996607596; Fri, 14 Nov 2014 12:23:27 -0800 (PST)
MIME-Version: 1.0
References: <CABzCy2AqUvaJSpA3sKxWp8zs+kkTnq++Kv0a81JpBor825eaKg@mail.gmail.com> <CA+k3eCTF=SnWP2rE7pRCe4ve_KUhZoCj+h7NhRUjjpEpXEWUVA@mail.gmail.com> <CABzCy2Cd1oWuUmvhMnrNKbzHiA447xHjcvd0z=usMMP3tEzRsg@mail.gmail.com> <25AA1078-5A90-41EA-B30C-2E8962214177@ve7jtb.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Fri, 14 Nov 2014 20:23:27 +0000
Message-ID: <CABzCy2AJZzocvb-d7aMoXoGpepZYwKqwbgaiig-xtbLwRap0Hw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a113f9694cc8f3f0507d766ad"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/wdyxqpx-tBjoLnHGun0WDxOegAk
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Adding machine readable errors to SPOP?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 20:23:31 -0000

That pretty much was the conclusion we reached. I believe that it was what
the F2F room inclined to. So, for -04, we added a section on error response
but it doesn't have those granular errors.
On Fri, Nov 14, 2014 at 07:07 John Bradley <ve7jtb@ve7jtb.com> wrote:

> <hatoff> Nat and I discussed it yesterday and I am still personally
> unconvinced that the errors from the authorization endpoint are helpful.
> So I am personally against adding specific errors for S256_unsupported
> </hatoff>
>
> On Nov 14, 2014, at 6:52 AM, Nat Sakimura <sakimura@gmail.com> wrote:
>
> <editorhatoff>I find not much, if any. </editorhatoff >
>
>
> On Fri, Nov 14, 2014 at 06:27 Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>> I struggle to see the value in adding more fine grained machine readable
>> error messages for this.
>>
>> Do we really want clients to try and negotiate the code_challenge_method
>> using browser redirects? Especially in light of the fact that we'll likely
>> also be discouraging AS's from redirecting on some error conditions when
>> there's no user interaction.
>>
>> On Wed, Nov 12, 2014 at 1:48 PM, Nat Sakimura <sakimura@gmail.com> wrote:
>>
>>> As discussed at F2F today at IETF 91 OAuth WG, there has been some
>>> request to have a more fine grained machine readable error messages.
>>>
>>> Currently, it only returns the error defined in RFC6749 and any more
>>> details is supposed to be returned in error_descripton and error_uri.
>>>
>>> So, I came up with the following proposal. If WG agrees, I would put
>>> text embodying it into the draft-04. Otherwise, I would like to go as is.
>>> You have to speak out to put it in. (I am sending out -03, which we meant
>>> to send before submit freeze, without it..)
>>>
>>> nError response to authorization request
>>> lReturns invalid_request with additional error param spop_error with
>>> the following values:
>>> ▪S256_unsupported
>>> ▪none_unsupported
>>> ▪invalid_code_challenge
>>> Clients MUST NOT accept the downgrade
>>> request through this as it may be a downgrade
>>> attack by a MITM.
>>> nError response to token request
>>> lReturns invalid_request with additional error param spop_error with
>>> the following values:
>>> ▪invalid _code_verifier
>>> ▪verifier_challenge_mismatch
>>> nAuthorization server should return more descriptive information on
>>> lerror_description
>>> lerror_uri
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>