Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error_response_missing_openid_scope #210

Merged
merged 4 commits into from
Oct 23, 2024
Merged

error_response_missing_openid_scope #210

merged 4 commits into from
Oct 23, 2024

Conversation

AxelNennker
Copy link
Collaborator

What type of PR is this?

Add one of the following kinds:

  • correction

What this PR does / why we need it:

Error responses should be returned through the redirect_url if the redirect_url is valid.
Only if the redirect_url is not valid are HTTP response codes used.

Which issue(s) this PR fixes:

Fixes #209

@sebdewet
Copy link
Collaborator

sebdewet commented Oct 8, 2024

Hi,
not feasable in ciba when we won't have a redirect_uri in poll mode.
When a redirect_uri is specified, you want to return the errors in a query string using an HTTP redirect 302 status code ?

@AxelNennker
Copy link
Collaborator Author

Hi, not feasable in ciba when we won't have a redirect_uri in poll mode. When a redirect_uri is specified, you want to return the errors in a query string using an HTTP redirect 302 status code ?

I added a reference to CIBA error handling

jpengar
jpengar reviewed Oct 9, 2024
View reviewed changes
documentation/CAMARA-Security-Interoperability.md

If "openid" is missing in the scope value but a claim that is [standardized in OIDC](https://openid.net/specs/openid-connect-core-1_0.html#Claims) is requested, then the Authorization Server returns an HTTP response code of 400 (Bad Request) and an error invalid_request.
For OIDC please refer to [OIDC Authentication Error Response](https://openid.net/specs/openid-connect-core-1_0.html#AuthError).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For OIDC please refer to [OIDC Authentication Error Response](https://openid.net/specs/openid-connect-core-1_0.html#AuthError).
For the Authorization Code Flow please refer to [OIDC Authentication Error Response](https://openid.net/specs/openid-connect-core-1_0.html#AuthError).

We can say Authorization Code Flow instead of OIDC. CIBA is also OpenId Connect. And the link points to section 3.1.2.6. Authentication Error Response of the OIDC Core standard which is under section 3.1. Authentication using the Authorization Code Flow.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think CIBA is not OIDC (OpenId Connect). They are separate standards published by the OIDF.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, of course, it is indeed a separate standard. What I mean is that it is called "OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0", so it looks better (or at least helpful) to me to explicitly mention the Authorization Code Flow instead of OIDC in this case, to avoid misunderstandings.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But in any case, I don't think it's a big deal, so I've given my approval.

AxelNennker and others added 2 commits October 9, 2024 16:07
@AxelNennker @jpengar
Update documentation/CAMARA-Security-Interoperability.md
ab7010d 
Co-authored-by: Jesús Peña García-Oliva <jesus.penagarcia-oliva@telefonica.com>
@AxelNennker @jpengar
Update documentation/CAMARA-Security-Interoperability.md
820589d 
Co-authored-by: Jesús Peña García-Oliva <jesus.penagarcia-oliva@telefonica.com>
@AxelNennker
Copy link
Collaborator Author

I think the text is now clear about CIBA and OIDC authoritzation code flow, thus adressing @sebdewet 's comment.
Merging this now. And closing.

@AxelNennker AxelNennker merged commit 7b0a736 into main Oct 23, 2024
1 check passed
@AxelNennker AxelNennker deleted the AxelNennker-error_response_missing_openid_scope branch October 23, 2024 10:30
@jpengar jpengar mentioned this pull request Oct 23, 2024
Closed
sebdewet
sebdewet reviewed Oct 23, 2024
View reviewed changes
Copy link
Collaborator

@sebdewet sebdewet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a question about the access_denied, is the answer is given on the /authorize call if consent is denied by the end-user, or on the /token call ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebdewet sebdewet sebdewet left review comments

@jpengar jpengar jpengar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OIDC authorization code flow error response
3 participants
@AxelNennker @sebdewet @jpengar