Write it, and I'll get it incorporated. EHL
> -----Original Message----- > From: Breno [mailto:breno.demedei...@gmail.com] > Sent: Wednesday, October 13, 2010 4:49 PM > To: Jeff Lindsay > Cc: Eran Hammer-Lahav; oauth@ietf.org > Subject: Re: [OAUTH-WG] Request sent to http: instead of https:` > > +1 for language in the spec describing how to handle this case > > On Wed, Oct 13, 2010 at 4:12 PM, Jeff Lindsay <progr...@twilio.com> wrote: > >> Hopefully you also invalidate the token (if bearer) since it was send > >> over an insecure channel. > > > > Excuse my naivety, but perhaps that's worth putting in the spec? > > > >> > >> EHL > >> > >> > -----Original Message----- > >> > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On > >> > Behalf Of Breno > >> > Sent: Wednesday, October 13, 2010 11:31 AM > >> > To: oauth@ietf.org > >> > Subject: [OAUTH-WG] Request sent to http: instead of https:` > >> > > >> > Suppose server A documents that their endpoint X is at > >> > https://server.example.com/x; there's no service at the > >> > corresponding http location for security reasons. > >> > > >> > Client developer fatfingers URL as http://server.example.com/x > >> > > >> > What is the correct response? I understand that this is out of > >> > scope for the spec, but maybe there's agreement on some guidance? > >> > > >> > One thing one shouldn't do is serve a 302 here; it would allow > >> > defective clients to remain unpatched. > >> > > >> > My preference is to simply return a bare 403 or 404 here -- after > >> > all the endpoint does not exist (404) or if one uses the convention > >> > that resources at http/https are usually identical, then http is a > >> > non-authorized method to access the resource (403). > >> > > >> > Thoughts? > >> > > >> > -- > >> > Breno de Medeiros > >> > _______________________________________________ > >> > OAuth mailing list > >> > OAuth@ietf.org > >> > https://www.ietf.org/mailman/listinfo/oauth > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > -- > Breno de Medeiros _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
