Hi guys, OAuth 2, Draft 23, Paragraph 4.1.2.1 clearly states:
If the request fails due to a missing, invalid, or mismatching redirection > URI, or if the client > identifier is missing or invalid, the authorization server SHOULD inform > the resource owner of > the error, and MUST NOT automatically redirect the user-agent to the > invalid redirection URI. > So, Case 1 is the only accepted case here. Buhake Sindi On 21 February 2012 13:34, matake@gmail <mat...@gmail.com> wrote: > So the answer is "Show the error to the user without redirecting back to > the client", right? > I'm now developing OAuth2 and OpenID Connect ruby library, and both of > them return errors > > case 1. redirect with error in query if response_type is "code" but it's > not supported > case 2. redirect with error in fragment if response_type is "token code", > "token id_token", "token code id_token" or "code id_token" but it's not > supported > case 3. otherwise show error to the user without redirect since server > cannot understand the response_type at all > > But other server might not understand some of response_types listed in > case 2 at all and choose case 3 in such case. > (ie. OAuth servers which don't understand OpenID Connect won't understand > "id_token") > > So I'm afraid that it reduces interoperability, a bit. > > On 2012/02/21, at 13:22, William Mills wrote: > > I does allow some parts of your server config to be discovered. More of a > problem in error responses is usually echoing back the user data, or > allowing user enumeration for example. Care is required, but you don't > have a ton of options here. > > ------------------------------ > *From:* Igor Faynberg <igor.faynb...@alcatel-lucent.com> > *To:* oauth@ietf.org > *Sent:* Monday, February 20, 2012 9:37 AM > *Subject:* Re: [OAUTH-WG] Quick question about error response for > "response_type=unknown" > > Could there be a potential security hole in providing an error > response? (Not that I see it, but many problems in the past had been > caused by helpful responese.) > > Igor > > On 2/20/2012 11:57 AM, William Mills wrote: > > Respond with an error in protocol. Thta won't include a redirect, and > the client has to know what to do. > > ------------------------------ > *From:* nov matake <n...@matake.jp> <n...@matake.jp> > *To:* oauth WG <oauth@ietf.org> <oauth@ietf.org> > *Sent:* Monday, February 20, 2012 6:11 AM > *Subject:* [OAUTH-WG] Quick question about error response for > "response_type=unknown" > > Hi OAuthers, > > My apologies if you already discussed this. > > When OAuth server received unknown response_type, how should the server > handle the error? > > 1. Show the error to the user without redirecting back to the client > 2. Redirect back to the client including the error in query > 3. Redirect back to the client including the error in fragment > > Since choosing 2 or 3 is impossible in this case, 1 seems reasonable for > me. > > > -- > nov > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
