I does allow some parts of your server config to be discovered. More of a
problem in error responses is usually echoing back the user data, or allowing
user enumeration for example. Care is required, but you don't have a ton of
options here.
From: Igor Fayn
Yet another
+1
Igor
On 2/20/2012 5:19 PM, André DeMarre wrote:
+1 for keeping the rationale easily accessible in non-normative
security documents. Doing so is great for everyone, implementors and
spec authors alike. Security can be very nuanced, and some
countermeasures are easy to overlook. A
+1 for keeping the rationale easily accessible in non-normative
security documents. Doing so is great for everyone, implementors and
spec authors alike. Security can be very nuanced, and some
countermeasures are easy to overlook. Also, being transparent with
security rationale encourages people to
Could there be a potential security hole in providing an error
response? (Not that I see it, but many problems in the past had been
caused by helpful responese.)
Igor
On 2/20/2012 11:57 AM, William Mills wrote:
Respond with an error in protocol. Thta won't include a redirect, and
the client
Respond with an error in protocol. Thta won't include a redirect, and the
client has to know what to do.
From: nov matake
To: oauth WG
Sent: Monday, February 20, 2012 6:11 AM
Subject: [OAUTH-WG] Quick question about error response for
"response_type=unknow
Hi OAuthers,
My apologies if you already discussed this.
When OAuth server received unknown response_type, how should the server handle
the error?
1. Show the error to the user without redirecting back to the client
2. Redirect back to the client including the error in query
3. Redirect back to
