The spec already says that you can't repeat request parameters on the
line like that, so that's an invalid_request error, as described in
section 5.2:
5.2. Error Response
The authorization server responds with an HTTP 400 (Bad Request)
status code and includes the following parameters with the response:
error
REQUIRED. A single error code from the following:
invalid_request
The request is missing a required parameter, includes an
unsupported parameter value, repeats a parameter,
includes multiple credentials, utilizes more than one
mechanism for authenticating the client, or is otherwise
malformed.
-- Justin
On 12/19/2011 08:20 AM, Alexey Skolyarov wrote:
Hello Buhake,
Thanks for your answer!
It seems I should explain a bit here -- I'm not about how to pass the
state with multiple values, I'm trying to figure out how the
OAuth-2.0-draft-22 -- compliant server should respond on duplication
of state request parameter.
For instance what should be returned in response on following request:
GET
/authorize?response_type=code&client_id=s6BhdRkqt3&*state=QWE*&*state=ASD*&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
HTTP/1.1
Host: server.example.com
It's unclear for me should it be
HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=invalid_request (without
the state completely -- seems to be wrong beforehand)
or
HTTP/1.1 302 Found
Location:
https://client.example.com/cb?error=invalid_request&state=QWE( or ASD
- one of passed states used)
or
HTTP/1.1 302 Found
Location:
https://client.example.com/cb?error=invalid_request&state=QWE%20ASD
(both but violates the idea that state should be kept unchanged).
I hope this example could make my question clearer.
Thanks in advance.
--
Best regards, Alexey Skolyarov
*From:*Buhake Sindi [mailto:buh...@googlemail.com]
*Sent:* Monday, December 19, 2011 4:53 PM
*To:* Alexey Skolyarov
*Subject:* Re: [OAUTH-WG] conflict: error response invalid_request and
state parameter duplication
Hi Alexey,
If I'm not mistaken, to declare multiple values in "state", the
document states that it should be space-delimited (" "). This is
unlike Facebook state which is comma-delimited.
On 19 December 2011 14:41, Alexey Skolyarov <alexey.skolya...@dins.ru
<mailto:alexey.skolya...@dins.ru>> wrote:
Hello everybody,
Since this is my first post on this list, I'll say few words about whoami:
My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I'm
interested in OAuth2 because I found no v2 providers for Jersey
<http://jersey.java.net/> except Spring Security which is much more
complex than 1.0a implementation in Jersey-contrib. Currently I'm
under NDA, so I can't say more L
Nevertheless we've done specification study and found a conflict -- in
last paragraph of section 3.1. "Authorization Endpoint"
<http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.1> it is
mentioned that "/Request and response parameters MUST NOT be included
more than once/".
This statement conflicts with /state/ parameter definition in section
4.1.2.1 "Error response"
<http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1.2.1>,
where it's said that state is "/REQUIRED if a valid "state" parameter
was present in the client authorization request. The exact value
received from the client/".
How passing /state=QWE&state=ASD/ inside same request should be
handled then?
From one hand it is forbidden to process requests with multiple
parameter occurrences.
But from another hand Specification requires to pass the state if it
was found in a request.
Violation of any of these statements can be treated as "partial
compliance" to draft-22, so I'm in doubt what way is preferred there.
What do you guys think?
Thanks in advance.
--
Best regards, Alexey Skolyarov
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
--
The Elite Gentleman
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
