New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The need_info response doesn't say that the ticket is REQUIRED #275
Comments
Actually, this probably needs a quick bit of discussion; I took off the editorial label. Now that we've required the ticket to rotate, the original squishy wording (connected to redirect_user) that we've updated seems to suggest that we should promote the ticket property out of the optional error_details structure entirely. Old (as of Core 2.0 rev 01 Sec 3.5.4.2): "The permission ticket that was in the client's request for authorization data. If the authorization server provides the redirect_user property, it MAY also provide the ticket property. If it is provided, the client SHOULD NOT depend on the ticket's accuracy. Note: The appearance of the permission ticket is deprecated and will be removed in a future UMA version. It is included here for backwards compatibility." Latest (as of Core 2.0 rev 13 Sec 3.6.8): "A permission ticket that allows the client to make further requests to the authorization server during this attempted authorization. The value of this permission ticket MUST NOT be the same as the one the client used to make its request." We can say it's REQUIRED, but the problem is that the entire error_details structure is OPTIONAL, and need_info really needs to provide a permission ticket because the client is counting on the ticket to continue the authorization process. So should the internal structure be REQUIRED ticket + OPTIONAL error_details? |
In ad hoc telecon 2017-02-21, we discussed, and agree. The specifics are laid out in an email to the WG. The underlying issue stems from our V1-era non-rotating ticket paradigm. |
Here's what the email said: There are three problems.
|
Closed in Core 2.0 rev 16. |
Part of the question on the call was if we were allowed to put |
Ah, yes. That means I should probably add a bit more description to the new Core rev 16 Sec 9.4.2, to mention |
The ticket part of need_info is underspecified in this respect, and in fact, there's no ticket value included in the "full" example of a need_info response with error_details hints (Core rev 12 Sec 3.6.7). This needs to be fixed.
The text was updated successfully, but these errors were encountered: