Re: [OAUTH-WG] draft-ietf-oauth-revocation-04

Sat, 26 Jan 2013 09:37:50 -0800 

Hi Hannes,

Am 11.01.2013 09:18, schrieb Hannes Tschofenig:

Thank you Torsten for updating the document.

Two issues have been raised:

1) Terminology: Authorization vs. access grant vs. authorization grant

There is a little bit of email exchange on that topic:
http://www.ietf.org/mail-archive/web/oauth/current/msg10426.html

I personally don't have an opinion on the terminology in this case.


I propose to change the term to "authorization grant". Any disagreement?


2) invalid_token error code

As mentioned on the list, a new error code has to be registered (which is not a 
big deal). Re-using an error code with different semantic is of course 
confusing.

Re-using an already defined error code and to provide additional text in the 
error_description is fine as long as the description relates to the originally 
defined error description. In the case of the invalid_request error code RFC 
6749 defines it as

    invalid_request
                The request is missing a required parameter, includes an
                invalid parameter value, includes a parameter more than
                once, or is otherwise malformed.

and RFC 6750 says:

    invalid_request
          The request is missing a required parameter, includes an
          unsupported parameter or parameter value, repeats the same
          parameter, uses more than one method for including an access
          token, or is otherwise malformed.  The resource server SHOULD
          respond with the HTTP 400 (Bad Request) status code.
Peter and George suggested a new error code "invalid_parameter". Do you suggest to reuse the "invalid_request" error code instead? 

Another question came into my mind. According to RFC 6749,

"Extension error codes MUST be registered (following the procedures in
   Section 11.4  <http://tools.ietf.org/html/rfc6749#section-11.4>) if the 
extension they are used in conjunction with is a
   registered access token type, a registered endpoint parameter, or an
   extension grant type.  Error codes used with unregistered extensions
   MAY be registered."

Is this rule really applicable to the revocation I-D, since it defines a 
completly new endpoint?

regards,
Torsten.


Let us know how you want to proceed on these two issues.

Ciao
Hannes
_______________________________________________ 
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to