- changed status to open
Messages 2.1.4 - session_selection_required is leaking PII
Yaron Goland wrote the following:
session_selection_required is leaking PII, that the user has multiple accounts with the IDP. That's a big no no. If session selection is required then it should just be used by the IDP and call it a day.
consent_required - This is leaking data about the user, specifically, that it's a user who hasn't previously given permission to the site. This can be used for targetted advertising and other purposes. We shouldn't be returning this error. What we need to say is "You asked for none, that a'int gonna work, try again with no restriction".
user_mismatched- ARE YOU KIDDING ME?!?!?!?? Thanks for providing an oracle that I can use to detect if someone is who I think they are. This error needs to be GONE. Let me repeat - when you ask for none, if it doesn't work - WE DON'T TELL YOU WHY. We just tell you to try again without none. Stop leaking data!
Comments (8)
-
reporter -
reporter -
assigned issue to
Assigned to George
-
assigned issue to
-
Recommend that we remove error responses login_required, session_selection_required, consent_required and user_mismatched. Replace these error responses with the following...
interaction_required End-User interaction is required at the Authorization Server. This error MAY be returned when the user is required to perform some action at the Authorization server and the prompt parameter in the Authorization Request is set to none. For example, the Authorization Server may require the user to authentication before granting the authorization request.
-
-
assigned issue to
Breno, is this OK? OR do you need to have more detailed error response?
-
assigned issue to
-
Account Deleted The motivation for providing more specific information was to allow RPs to reason whether if the current IDP choice is the best option for the user. However, given the lack of consensus on this, i am fine with changing to 'interaction_required'.
-
reporter We agreed to postpone this until we better understand the full session management strategy.
-
reporter -
assigned issue to
It should always be legal to return interaction_required for privacy reasons - it will be added. Based upon the circumstances of the request, some OPs may return more specific errors. We will delete user_mismatched. We may continue revising these error codes once session management is further fleshed out.
-
assigned issue to
-
reporter - changed status to resolved
Fix
#523Messages 2.1.4 - session_selection_required is leaking PII - Log in to comment
These errors were intended for use in immediate mode. We need a generic error saying "try again not in immediate mode" - an interactive session is required. The equivalent of the OpenID 2.0 "check setup required".
This would replace these error codes.
George will make a proposal.