I does allow some parts of your server config to be discovered. More of a
problem in error responses is usually echoing back the user data, or allowing
user enumeration for example. Care is required, but you don't have a ton of
options here.
________________________________
From: Igor Faynberg <igor.faynb...@alcatel-lucent.com>
To: oauth@ietf.org
Sent: Monday, February 20, 2012 9:37 AM
Subject: Re: [OAUTH-WG] Quick question about error response for
"response_type=unknown"
Could there be a potential security hole in providing an error response? (Not
that I see it, but many problems in the past had been caused by helpful
responese.)
Igor
On 2/20/2012 11:57 AM, William Mills wrote:
Respond with an error in protocol. Thta won't include a redirect, and the
client has to know what to do.
>
>
>
>________________________________
> From: nov matake <n...@matake.jp>
>To: oauth WG <oauth@ietf.org>
>Sent: Monday, February 20, 2012 6:11 AM
>Subject: [OAUTH-WG] Quick question about error response for
>"response_type=unknown"
>
>Hi OAuthers,
>
>My apologies if you already discussed this.
>
>When OAuth server received unknown response_type, how should
the server handle the error?
>
>1. Show the error to the user without redirecting back to
the client
>2. Redirect back to the client including the error in query
>3. Redirect back to the client including the error in
fragment
>
>Since choosing 2 or 3 is impossible in this case, 1 seems
reasonable for me.
>
>
>--
>nov
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
_______________________________________________
OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
