1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. mobile
  4. Issues

token endpoint response when client polls quicker than 'interval' may be unclear

Issue #135 resolved
Joseph Heenan created an issue

7.3. Successful Authentication Request Acknowledgement says:

interval OPTIONAL. The minimum amount of time in seconds that the Client MUST wait between polling requests to the token endpoint.

I think it's unclear what error an AS should return if a client violates the rule - I think it would be valid to return 'slow_down' but I think it's possible to form an argument that 'invalid_request' or another error might also be valid.

It may be in the interests of interoperability to define the behaviour in this case.

I think I would tend towards treating it as a hard error to ensure that clients that accidentally poll more often than they should are discovered and fixed.

Comments (14)

  2. Brian Campbell

    What is returned in that situation is at the AS's discretion and could be slow_down or authorization_pending. It could also go with a hard error of invalid_grant if it wanted to invalidate the whole transaction. However, I don't believe a particular error should be mandated, especially if it were to require that the AS to keep track of polling frequency for each auth_req_id.

  5. Joseph Heenan reporter

    I suggest new text in 11. Token Error Response :

    If the server wishes to indicate to the client that the client is not respecting "slow_down" or "interval" and the authentication has been aborted, it MAY return HTTP status code 429 Too Many Requests. If a client receives a HTTP status 429 response, it MUST NOT make any further requests for that auth_req_id.

    Though it feels appropriate, I'm also not feeling quite 100% confident about using a HTTP error code as I'm wondering if their are situations where an API gateway might return a 429 error for other situations. I am not sure if that matters. Opinions welcome.

  6. Brian Campbell

    Not particularly liking the idea of tying application specific logic to an HTTP status code.

  9. Joseph Heenan reporter

    Discussed on today’s call - invalid_request (potentially with a helpful error_description) is an equally valid response.

    The spec should then probably have a clause to make clear that if a polling client receives invalid_request it must never retry.

  10. Joseph Heenan reporter

    7.3. Successful Authentication Request Acknowledgement says:

    interval OPTIONAL. The minimum amount of time in seconds that the Client MUST wait between polling requests to the token endpoint.

    I think it's unclear what error an AS should return if a client violates the rule - I think it would be valid to return 'slow_down' but I think it's possible to form an argument that 'invalid_request' or another error might also be valid.

    It may be in the interests of interoperability to define the behaviour in this case.

    I think I would tend towards treating it as a hard error to ensure that clients that accidentally poll more often than they should are discovered and fixed.

  11. Dave Tonge

    If a Client continually polls quicker than the interval, the OP may return a “invalid_request” error.

    If a Client receive an invalid_request error it must not make any further requests for that auth_req_id.

  15. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
CIBA
Milestone
CIBA Post-Implementer's Draft
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!