Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
Igor Faynberg <igor.faynberg@alcatel-lucent.com> Mon, 20 February 2012 17:37 UTC
Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2656221F87B6 for <oauth@ietfa.amsl.com>; Mon, 20 Feb 2012 09:37:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.265
X-Spam-Level:
X-Spam-Status: No, score=-7.265 tagged_above=-999 required=5 tests=[AWL=-0.667, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SM851vJm28iS for <oauth@ietfa.amsl.com>; Mon, 20 Feb 2012 09:37:39 -0800 (PST)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by ietfa.amsl.com (Postfix) with ESMTP id 323EC21F87B3 for <oauth@ietf.org>; Mon, 20 Feb 2012 09:37:39 -0800 (PST)
Received: from usnavsmail4.ndc.alcatel-lucent.com (usnavsmail4.ndc.alcatel-lucent.com [135.3.39.12]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id q1KHbaBQ023641 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Mon, 20 Feb 2012 11:37:36 -0600 (CST)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail4.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q1KHbZ7t002600 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Mon, 20 Feb 2012 11:37:36 -0600
Received: from [135.244.28.45] (faynberg.lra.lucent.com [135.244.28.45]) by umail.lucent.com (8.13.8/TPES) with ESMTP id q1KHbYCW011096; Mon, 20 Feb 2012 11:37:35 -0600 (CST)
Message-ID: <4F4284DD.3030006@alcatel-lucent.com>
Date: Mon, 20 Feb 2012 12:37:33 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: oauth@ietf.org
References: <58932B8B-2DDE-41D6-A91B-5036CC762C00@matake.jp> <1329757027.28055.YahooMailNeo@web31808.mail.mud.yahoo.com>
In-Reply-To: <1329757027.28055.YahooMailNeo@web31808.mail.mud.yahoo.com>
Content-Type: multipart/alternative; boundary="------------030700050502030407090607"
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.12
Subject: Re: [OAUTH-WG] Quick question about error response for "response_type=unknown"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2012 17:37:43 -0000
Could there be a potential security hole in providing an error response? (Not that I see it, but many problems in the past had been caused by helpful responese.) Igor On 2/20/2012 11:57 AM, William Mills wrote: > Respond with an error in protocol. Thta won't include a redirect, and > the client has to know what to do. > > ------------------------------------------------------------------------ > *From:* nov matake <nov@matake.jp> > *To:* oauth WG <oauth@ietf.org> > *Sent:* Monday, February 20, 2012 6:11 AM > *Subject:* [OAUTH-WG] Quick question about error response for > "response_type=unknown" > > Hi OAuthers, > > My apologies if you already discussed this. > > When OAuth server received unknown response_type, how should the > server handle the error? > > 1. Show the error to the user without redirecting back to the client > 2. Redirect back to the client including the error in query > 3. Redirect back to the client including the error in fragment > > Since choosing 2 or 3 is impossible in this case, 1 seems reasonable > for me. > > > -- > nov > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Quick question about error response fo… nov matake
- Re: [OAUTH-WG] Quick question about error respons… William Mills
- Re: [OAUTH-WG] Quick question about error respons… Igor Faynberg
- Re: [OAUTH-WG] Quick question about error respons… William Mills
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… John Bradley
- Re: [OAUTH-WG] Quick question about error respons… matake@gmail
- Re: [OAUTH-WG] Quick question about error respons… Buhake Sindi
- Re: [OAUTH-WG] Quick question about error respons… Buhake Sindi
- Re: [OAUTH-WG] Quick question about error respons… John Bradley
- Re: [OAUTH-WG] Quick question about error respons… Eran Hammer