Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-device-flow-09.txt> (OAuth 2.0 Device Flow for Browserless and Input Constrained Devices) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, May 31, 2018 at 9:49 AM, Brian Campbell <bcampbell@xxxxxxxxxxxxxxxx> wrote:


On Wed, May 30, 2018 at 6:06 PM, William Denniss <wdenniss@xxxxxxxxxx> wrote:

On Wed, May 30, 2018 at 3:48 PM, Brian Campbell <bcampbell@xxxxxxxxxxxxxxxx> wrote:
I realize this is somewhat pedantic but I don't think referencing 4.1.2.1
works given how RFC 6749 set things up. Rather I believe that the device
flow needs to define and register "access_denied" as a valid token endpoint
response error code (it's not a token endpoint response error per RFC 6749
sec 5.2 nor has it been registered https://www.iana.org/assignmen
ts/oauth-parameters/oauth-parameters.xhtml#extensions-error).  Also
invalid_grant is a a token endpoint response error from RFC 6749 sec 5.2 so
that reference is needed and appropriate. RFC 6749 Sec 4.1.2.1
 <https://tools.ietf.org/html/rfc6749#section-4.1.2> defines errors returned
from the authorization endpoint. But the device flow errors are from the
token endpoint.


Yes, that's true. It's still the token endpoint, so 5.2 does in fact apply, it's just we're mixing in authorization-style actions which were not previously considered/used for that endpoint.

Do you have any proposed text to resolve this?
 

Sure, here's a crack at some text/changes:


Add this to the list of error codes in section 3.5.:

        "access_denied
               The end-user denied the authorization request."


And add this to section 7.2.1.:

  "o  Error name: access_denied
   o  Error usage location: Token endpoint response
   o  Related protocol extension: [[ this specification ]]
   o  Change controller: IETF
   o  Specification Document: Section 3.5 of [[ this specification ]]"


I might also slightly change this text in section 3.5:

"In addition to the error codes defined in Section 5.2 of [RFC6749],
   the following error codes are specific for the device flow:"

to

"In addition to the error codes defined in Section 5.2 of [RFC6749],
   the following error codes are specified by the device flow:"

so that the wording doesn't read as prohibiting the error codes from being used outside the device flow (access_denied from the token endpoint might well be useful for other grant types).


And add "Andrew Sciberras" to the Acknowledgements. 

Thank you Andrew for raising the point about needing to explicitly document this error code, and Brian for your proposed text to resolve this, and for the other issues you raised.

Version 10 has been posted by the authors to resolve the feedback received so far during this last call: https://tools.ietf.org/html/draft-ietf-oauth-device-flow-10


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux