openid / connect / issues / #977 - How to handle an unsupported response_mode? — Bitbucket

Issue #977 resolved

Vladimir Dzhuvinov created an issue 2015-08-17

OAuth 2.0 Multiple Response Type Encoding Practices defines the response_mode parameter.

How should an OP that doesn't support a requested response mode, e.g. form_post, respond? With an invalid_request error, ignore (assume the default response mode), or otherwise?

Thanks,

Vladimir

Comments (9)

Brian Campbell
Our AS responds with an HTTP 400.
- 2015-08-17T12:24:50+00:00
Nat Sakimura
- changed status to open
Add HTTP 400 as an errata action.
- 2015-08-17T23:36:09+00:00
Michael Jones
- changed milestone to Errata
- changed component to Core
Hmmm... Comparing the 400 Bad Request suggestion to OAuth 2.0, RFC 6749 says:

If an authorization request is missing the "response_type" parameter, or if the response type is not understood, the authorization server MUST return an error response as described in Section 4.1.2.1.

4.1.2.1 then describes using returning "error" values such as "invalid_request".

Given that not understanding a response_mode is very similar to not understanding a response_type, I would think that we would want to handle the error in the same way.
- 2015-08-18T01:38:27+00:00
Brian Campbell
I went w/ a 400 for two reasons,

1) if the client asks for a response mode that the AS doesn't understand or support, it's difficult for the AS know what response mode to use in returning an error. The default mode for the given response type is probably what should be used but, if the client asked for something else, will it be prepared to handle that?

2) One of the recommendations John made in the OAuth Open Redirector stuff is to "Respond with an HTTP 400" at https://tools.ietf.org/html/draft-bradley-oauth-open-redirector-02#section-2.3

A 400 in this case doesn't itself protect against all the Open Redirector issues. But that and the likelihood that a client wouldn't know how to consume the invalid_request error response led me to choosing the 400 as I added response_mode support.

I think an "invalid_request" error or a 400 would be appropriate. And any "regular" OAuth AS that doesn't know about response_mode will just ignore it, so that seems like it'd be appropriate too.
- 2015-08-18T13:12:07+00:00
Vladimir Dzhuvinov reporter
Thanks Brian, this is very informative.
- 2015-08-18T15:24:09+00:00
Michael Jones
John pointed out that if you don't support the response_mode, you can't even return error and error_description. Therefore, we'll return 400.
- 2015-08-31T23:29:09+00:00
Michael Jones
- assigned issue to
  
  Michael Jones
- 2015-09-01T00:44:31+00:00
Michael Jones
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/538
- 2023-06-13T19:24:46+00:00
Michael Jones
- changed status to resolved
Fixed ~~#977~~: Return HTTP 400 when Response Mode unsupported

→ <<cset 8c608513fd2b>>
- 2023-06-28T21:12:38+00:00
Log in to comment

Assignee: Michael Jones

Type: bug

Priority: minor

Status: resolved

Component: Core

Milestone: Errata

Version: –

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!