certification: RFC6749 MUST for error_description
The certification team have found an implementation that’s not compliant with RFC6749 text, in particular from https://tools.ietf.org/html/rfc6749#section-4.1.2.1 :
error_description
OPTIONAL. Human-readable ASCII [USASCII] text providing
additional information, used to assist the client developer in
understanding the error that occurred.
Values for the "error_description" parameter MUST NOT include
characters outside the set %x20-21 / %x23-5B / %x5D-7E.
It’s been suggested that the certification tests should treat CR, LF, or TAB characters as only a warning, and not a failure, and hence implementations that include CR/LF/TAB in error_description would be allowed to certify.
The python certification tests do not test this clause, but the FAPI tests do, and so do the in-development java openid connect certification tests.
Input from the working group as to the direction here would be appreciated. I guess one of the questions is whether there are any potential security or interoperability concerns from allowing a wider range of characters than OAuth2 permits.
Comments (3)
-
-
reporter Ticket raised to update certification suite: https://gitlab.com/openid/conformance-suite/issues/705
-
- changed status to resolved
Tracked by ticket in certification suite
- Log in to comment
We discussed this on the 6-Jan-20 working group call and it’s OK for the use of TAB, CR, and LF to be treated as warnings, rather than errors.