Correct way to return errors (fragment vs query) in hybrid flow is unclear
Issue #1048
resolved
I am finding myself repeatedly having a discussion about how to interpret the 'HybridAuthError' clause of OpenID Connect Core - in particular for the case where the error is neither end user denies request nor end user fails authentication.
The spec ( https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthError ) says:
When using the Hybrid Flow, Authorization Error Responses are made in the same manner as for the Authorization Code Flow, as defined in Section 3.1.2.6, with the exception of the differences specified in this section. If the End-User denies the request or the End-User authentication fails, the Authorization Server MUST return the error Authorization Response in the fragment component of the Redirection URI, as defined in 4.2.2.1 of OAuth 2.0 [RFC6749] and OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses], unless a different Response Mode was specified.
I don't believe the exception applies, so section 3.1.2.6 applies - which says:
When using the Authorization Code Flow, the error response parameters are added to the query component of the Redirection URI, unless a different Response Mode was specified.
So it appears to me that, in a hybrid flow, if a (say) invalid_request error is to be returned to a client, it must be returned in the url query.
"OAuth 2.0 Multiple Response Type Encoding Practices" section 5 ( https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations ) says:
code id_token When supplied as the value for the response_type parameter, a successful response MUST include both an Authorization Code and an id_token. The default Response Mode for this Response Type is the fragment encoding and the query encoding MUST NOT be used. Both successful and error responses SHOULD be returned using the supplied Response Mode, or if none is supplied, using the default Response Mode.
This appears to say that the query shouldn't or must not be used. But I can't find any way to read the OpenID Connect Core spec (as quoted above) in a manner that allows hybrid to return an invalid_request error in the fragment.
Comments (6)
-
-
reporter
This was discussed on today's connect WG call.
There seemed to be a consensus that the wording in the connect core spec is a bit fluffy and the intention is that the errors are always returned in the fragment as per "OAuth 2.0 Multiple Response Type Encoding Practices".
Filip added that the OIDF conformance suite for the hybrid flow does already test that errors are returned in the fragment.
-
-
assigned issue to
Michael Jones
-
assigned issue to
-
- changed status to open
-
This will be fixed by https://bitbucket.org/openid/connect/pull-requests/541 .
-
- changed status to resolved
- Log in to comment
On the Aug 30 call there was wide consensus that the intent was that all errors were to be returned in the fragment with hybrid. And that the wording in the OpenID Connect Core document should be fixed/clarified to reflect that.