IETF Logo Mail Archive

Re: [OAUTH-WG] Adding machine readable errors to SPOP?

Nat Sakimura <sakimura@gmail.com> Fri, 14 November 2014 16:52 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE0721A1AAF for <oauth@ietfa.amsl.com>; Fri, 14 Nov 2014 08:52:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.739
X-Spam-Level:
X-Spam-Status: No, score=-1.739 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tiKj8up26bYr for <oauth@ietfa.amsl.com>; Fri, 14 Nov 2014 08:52:05 -0800 (PST)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D4CA1A1ABC for <oauth@ietf.org>; Fri, 14 Nov 2014 08:52:05 -0800 (PST)
Received: by mail-ig0-f179.google.com with SMTP id r10so1831791igi.0 for <oauth@ietf.org>; Fri, 14 Nov 2014 08:52:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:from:date:message-id:subject:to:cc :content-type; bh=kxYccLgVPwmSh1qrEqiU/vxMvNKL2//EfmmuBSMFQBk=; b=XqB6558xd88IARz/LzznIeaQ5sUk2WJcgx3qBb0g3dF4zb8w6EITiGJRy5jWx5NJvu L8IXwf229bOrKrJMX0/1Dai71+FJvRq4DjMiVmU1TslZWxsG5t7eU7XwlBDydwFY722h tIQfMkN/iIS8MZV7y7v7LCtu1qI7kTvQuxikMMTz51g29Bn0+x0r9gSiHmRw8FmC7534 LDCVEwCUcH28mn0yysXUlmcl+dMjF46ChIJ8x5bs2nov7T5YJ+2BQEBmG91qXO3ohbhQ iPBWs1Kwqf8/+Oev3gDNVPW9NHjYvsGV0YXOgG0m3F6KVMbcg41en0NA+rQAZXVwGSKh bRBQ==
X-Received: by 10.42.126.82 with SMTP id d18mr5078417ics.54.1415983924245; Fri, 14 Nov 2014 08:52:04 -0800 (PST)
MIME-Version: 1.0
References: <CABzCy2AqUvaJSpA3sKxWp8zs+kkTnq++Kv0a81JpBor825eaKg@mail.gmail.com> <CA+k3eCTF=SnWP2rE7pRCe4ve_KUhZoCj+h7NhRUjjpEpXEWUVA@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Fri, 14 Nov 2014 16:52:03 +0000
Message-ID: <CABzCy2Cd1oWuUmvhMnrNKbzHiA447xHjcvd0z=usMMP3tEzRsg@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="20cf300e5329d020aa0507d472d2"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/zpEBNVCeN7YQ5_EoDXBcySeW_Kk
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Adding machine readable errors to SPOP?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 16:52:07 -0000

<editorhatoff>I find not much, if any. </editorhatoff >


On Fri, Nov 14, 2014 at 06:27 Brian Campbell <bcampbell@pingidentity.com>
wrote:

> I struggle to see the value in adding more fine grained machine readable
> error messages for this.
>
> Do we really want clients to try and negotiate the code_challenge_method
> using browser redirects? Especially in light of the fact that we'll likely
> also be discouraging AS's from redirecting on some error conditions when
> there's no user interaction.
>
> On Wed, Nov 12, 2014 at 1:48 PM, Nat Sakimura <sakimura@gmail.com> wrote:
>
>> As discussed at F2F today at IETF 91 OAuth WG, there has been some
>> request to have a more fine grained machine readable error messages.
>>
>> Currently, it only returns the error defined in RFC6749 and any more
>> details is supposed to be returned in error_descripton and error_uri.
>>
>> So, I came up with the following proposal. If WG agrees, I would put text
>> embodying it into the draft-04. Otherwise, I would like to go as is. You
>> have to speak out to put it in. (I am sending out -03, which we meant to
>> send before submit freeze, without it..)
>>
>> nError response to authorization request
>> lReturns invalid_request with additional error param spop_error with the
>> following values:
>> ▪S256_unsupported
>> ▪none_unsupported
>> ▪invalid_code_challenge
>>
>> Clients MUST NOT accept the downgrade
>>
>> request through this as it may be a downgrade
>>
>> attack by a MITM.
>> nError response to token request
>> lReturns invalid_request with additional error param spop_error with the
>> following values:
>> ▪invalid _code_verifier
>> ▪verifier_challenge_mismatch
>> nAuthorization server should return more descriptive information on
>> lerror_description
>> lerror_uri
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>

v2.23.0 | Report a Bug | By Email