SIOP error response
Issue #1363
resolved
SIOP currently only defines “Relying Party Registration Metadata Error Response”. There has been a question, how SIOP can send an error response for any other reason. Suggest we introduce a more general error response section.
SIOP error response in cross-device SIOP should also be defined. In same device SIOP, error response will be an HTTP 302 as defined in OpenID.Core.
Comments (5)
-
-
reporter
In 2021-12-03 SIOP call we discussed
- Kristina to ask which error codes the implementors who gave this feedback would absolutely want
- add a text saying implementations can define their own error codes to be used in their framework
-
Such a capability is certain to be misused by devs. If any statement were added it should be a negative rather than a positive. For example:
Developers SHOULD NOT add codes to this element that provide information that can be used by attackers to work around security features.
-
reporter
Great points, Tom, agreed that error codes must be used with caution.
-
reporter
- changed status to resolved
Error codes have been updated in PR
#78 - Log in to comment
It is important to remember that any information provided to an attacker will help the attacker refine their attack. Error codes sent the the clear MUST NOT provide any information helpful to an attacker. In no case should an error code tell the attacker how to clear the problem.