Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-14 Thread Lukas Rosenstock
n > insecure channel. > > EHL > >> -Original Message- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Breno >> Sent: Wednesday, October 13, 2010 11:31 AM >> To: oauth@ietf.org >> Subject: [OAUTH-WG] Request sent

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread John Panzer
t; Of William Mills >>> Sent: Wednesday, October 13, 2010 5:05 PM >>> To: Breno; Jeff Lindsay >>> Cc: oauth@ietf.org >>> Subject: Re: [OAUTH-WG] Request sent to http: instead of https:` >>> >>> This rather implies that we're specifyin

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Breno
e- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of William Mills >> Sent: Wednesday, October 13, 2010 5:05 PM >> To: Breno; Jeff Lindsay >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] Request sent to http: instead of https:`

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Luke Shepard
>> Cc: Eran Hammer-Lahav; oauth@ietf.org >> Subject: Re: [OAUTH-WG] Request sent to http: instead of https:` >> >> +1 for language in the spec describing how to handle this case >> >> On Wed, Oct 13, 2010 at 4:12 PM, Jeff Lindsay wrote: >>>>

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Eran Hammer-Lahav
Write it, and I'll get it incorporated. EHL > -Original Message- > From: Breno [mailto:breno.demedei...@gmail.com] > Sent: Wednesday, October 13, 2010 4:49 PM > To: Jeff Lindsay > Cc: Eran Hammer-Lahav; oauth@ietf.org > Subject: Re: [OAUTH-WG] Request sent to

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Eran Hammer-Lahav
esday, October 13, 2010 5:05 PM > To: Breno; Jeff Lindsay > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Request sent to http: instead of https:` > > This rather implies that we're specifying running a full server on port 80 as > a > "stupid detector". We shoul

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Jeff Lindsay
> > This rather implies that we're specifying running a full server on port 80 > as a "stupid detector". We should tread carefully here. > Right, I suppose you're better off not responding on port 80 if possible. But I imagine this could be phrased in Section 5.0 roughly, "if the resource server

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread William Mills
This rather implies that we're specifying running a full server on port 80 as a "stupid detector". We should tread carefully here. > +1 for language in the spec describing how to handle this case > > On Wed, Oct 13, 2010 at 4:12 PM, Jeff Lindsay > wrote: > >> Hopefully you also invalidate the

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Breno
rth putting in the spec? > >> >> EHL >> >> > -Original Message- >> > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> > Of Breno >> > Sent: Wednesday, October 13, 2010 11:31 AM >> > To: oauth@ietf.org >

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Jeff Lindsay
uth-boun...@ietf.org] On Behalf > > Of Breno > > Sent: Wednesday, October 13, 2010 11:31 AM > > To: oauth@ietf.org > > Subject: [OAUTH-WG] Request sent to http: instead of https:` > > > > Suppose server A documents that their endpoint X is at > > https://serve

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Eran Hammer-Lahav
f.org > Subject: [OAUTH-WG] Request sent to http: instead of https:` > > Suppose server A documents that their endpoint X is at > https://server.example.com/x; there's no service at the corresponding http > location for security reasons. > > Client developer fatfingers URL as

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Marius Scurtescu
On Wed, Oct 13, 2010 at 2:00 PM, Paul Tarjan wrote: >> >>> At Facebook we issue an HTTP 400 with "invalid_request" as the error. >>> http://graph.facebook.com/me?access_token=blah&client_id=150629244948164 >>> (the client_id is to enable draft-10 error messaging). >> >> Without client_id you get a

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Paul Tarjan
> >> At Facebook we issue an HTTP 400 with "invalid_request" as the error. >> http://graph.facebook.com/me?access_token=blah&client_id=150629244948164 >> (the client_id is to enable draft-10 error messaging). > > Without client_id you get a different error message (JSON as well, but > not OAuth2

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Marius Scurtescu
On Wed, Oct 13, 2010 at 1:46 PM, Paul Tarjan wrote: > At Facebook we issue an HTTP 400 with "invalid_request" as the error. > http://graph.facebook.com/me?access_token=blah&client_id=150629244948164 > (the client_id is to enable draft-10 error messaging). Without client_id you get a different err

Re: [OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Paul Tarjan
At Facebook we issue an HTTP 400 with "invalid_request" as the error. http://graph.facebook.com/me?access_token=blah&client_id=150629244948164 (the client_id is to enable draft-10 error messaging). On Oct 13, 2010, at 11:

[OAUTH-WG] Request sent to http: instead of https:`

2010-10-13 Thread Breno
Suppose server A documents that their endpoint X is at https://server.example.com/x; there's no service at the corresponding http location for security reasons. Client developer fatfingers URL as http://server.example.com/x What is the correct response? I understand that this is out of scope for