Is S256_unsupported or algorithm_unsupported the better error description? I’m
asking because I also expect that at some point in the approval process for
this document you’ll be asked to support algorithm agility (for instance, being
able to use SHA-3-256).
-- Mike
From: OAuth [mailto:[email protected]] On Behalf Of Nat Sakimura
Sent: Wednesday, November 12, 2014 10:49 AM
To: oauth
Subject: [OAUTH-WG] Adding machine readable errors to SPOP?
As discussed at F2F today at IETF 91 OAuth WG, there has been some request to
have a more fine grained machine readable error messages.
Currently, it only returns the error defined in RFC6749 and any more details is
supposed to be returned in error_descripton and error_uri.
So, I came up with the following proposal. If WG agrees, I would put text
embodying it into the draft-04. Otherwise, I would like to go as is. You have
to speak out to put it in. (I am sending out -03, which we meant to send before
submit freeze, without it..)
•Error response to authorization request
•Returns invalid_request with additional error param spop_error with the
following values:
▪S256_unsupported
▪none_unsupported
▪invalid_code_challenge
Clients MUST NOT accept the downgrade
request through this as it may be a downgrade
attack by a MITM.
•Error response to token request
•Returns invalid_request with additional error param spop_error with the
following values:
▪invalid _code_verifier
▪verifier_challenge_mismatch
•Authorization server should return more descriptive information on
•error_description
•error_uri
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
