Could there be a potential security hole in providing an error
response? (Not that I see it, but many problems in the past had been
caused by helpful responese.)
Igor
On 2/20/2012 11:57 AM, William Mills wrote:
Respond with an error in protocol. Thta won't include a redirect, and
the client has to know what to do.
------------------------------------------------------------------------
*From:* nov matake <n...@matake.jp>
*To:* oauth WG <oauth@ietf.org>
*Sent:* Monday, February 20, 2012 6:11 AM
*Subject:* [OAUTH-WG] Quick question about error response for
"response_type=unknown"
Hi OAuthers,
My apologies if you already discussed this.
When OAuth server received unknown response_type, how should the
server handle the error?
1. Show the error to the user without redirecting back to the client
2. Redirect back to the client including the error in query
3. Redirect back to the client including the error in fragment
Since choosing 2 or 3 is impossible in this case, 1 seems reasonable
for me.
--
nov
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
