Is S256_unsupported or algorithm_unsupported the better error description? I’m asking because I also expect that at some point in the approval process for this document you’ll be asked to support algorithm agility (for instance, being able to use SHA-3-256).
-- Mike From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Wednesday, November 12, 2014 10:49 AM To: oauth Subject: [OAUTH-WG] Adding machine readable errors to SPOP? As discussed at F2F today at IETF 91 OAuth WG, there has been some request to have a more fine grained machine readable error messages. Currently, it only returns the error defined in RFC6749 and any more details is supposed to be returned in error_descripton and error_uri. So, I came up with the following proposal. If WG agrees, I would put text embodying it into the draft-04. Otherwise, I would like to go as is. You have to speak out to put it in. (I am sending out -03, which we meant to send before submit freeze, without it..) •Error response to authorization request •Returns invalid_request with additional error param spop_error with the following values: ▪S256_unsupported ▪none_unsupported ▪invalid_code_challenge Clients MUST NOT accept the downgrade request through this as it may be a downgrade attack by a MITM. •Error response to token request •Returns invalid_request with additional error param spop_error with the following values: ▪invalid _code_verifier ▪verifier_challenge_mismatch •Authorization server should return more descriptive information on •error_description •error_uri
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth