SIOP error response

Issue #1363 resolved
Kristina Yasuda created an issue

SIOP currently only defines “Relying Party Registration Metadata Error Response”. There has been a question, how SIOP can send an error response for any other reason. Suggest we introduce a more general error response section.

SIOP error response in cross-device SIOP should also be defined. In same device SIOP, error response will be an HTTP 302 as defined in OpenID.Core.

Comments (5)

  1. Tom Jones

    It is important to remember that any information provided to an attacker will help the attacker refine their attack. Error codes sent the the clear MUST NOT provide any information helpful to an attacker. In no case should an error code tell the attacker how to clear the problem.

  2. Kristina Yasuda reporter

    In 2021-12-03 SIOP call we discussed

    • Kristina to ask which error codes the implementors who gave this feedback would absolutely want
    • add a text saying implementations can define their own error codes to be used in their framework

  3. Tom Jones

    Such a capability is certain to be misused by devs. If any statement were added it should be a negative rather than a positive. For example:

    Developers SHOULD NOT add codes to this element that provide information that can be used by attackers to work around security features.

  4. Log in to comment