certification: RFC6749 MUST for error_description

Issue #1147 resolved
Joseph Heenan created an issue

The certification team have found an implementation that’s not compliant with RFC6749 text, in particular from https://tools.ietf.org/html/rfc6749#section- :

         OPTIONAL.  Human-readable ASCII [USASCII] text providing
         additional information, used to assist the client developer in
         understanding the error that occurred.
         Values for the "error_description" parameter MUST NOT include
         characters outside the set %x20-21 / %x23-5B / %x5D-7E.

It’s been suggested that the certification tests should treat CR, LF, or TAB characters as only a warning, and not a failure, and hence implementations that include CR/LF/TAB in error_description would be allowed to certify.

The python certification tests do not test this clause, but the FAPI tests do, and so do the in-development java openid connect certification tests.

Input from the working group as to the direction here would be appreciated. I guess one of the questions is whether there are any potential security or interoperability concerns from allowing a wider range of characters than OAuth2 permits.

Comments (3)

  1. Michael Jones

    We discussed this on the 6-Jan-20 working group call and it’s OK for the use of TAB, CR, and LF to be treated as warnings, rather than errors.

  2. Log in to comment