哪些错误应返回给第三方应用程序? [英] What errors should be returned to the 3rd-party-application?

问题描述

当用户(资源所有者")明确拒绝auth请求时，应将其传递给发出请求的客户端(类似于https://oauth2client.com/cb#error=access_denied之类的东西).

When the user ("Resource Owner") explicitly denies the auth request, this should be passed to the requesting client (something like that https://oauth2client.com/cb#error=access_denied).

应该向第三方应用程序传递什么其他错误?(临时)服务器错误呢?是否出于安全原因不应该调用这些事件?

What other errors should be passed to the 3rd-party-application? What about a (temporary) server error? Are there events that should not be called back with for security reasons?

谢谢！

推荐答案

您是否已阅读 RFC ?

请参阅 4.1.2.1节. 授权代码授予的错误响应.它概述了可以发送回的错误代码. server_error或temporarily_unavailable可能是您想要的. OAUth2安全建议并未说明不将其发送回去的原因.

See section 4.1.2.1. Error Response for the Authorization Code Grant. It outlines what error codes you can send back. server_error or temporarily_unavailable is probably what you are looking for. The OAUth2 security recommendations does not call out a reason for not sending them back.

If the request fails due to a missing, invalid, or mismatching
redirection URI, or if the client identifier is missing or invalid,
the authorization server SHOULD inform the resource owner of the
error and MUST NOT automatically redirect the user-agent to the
invalid redirection URI.

If the resource owner denies the access request or if the request
fails for reasons other than a missing or invalid redirection URI,
the authorization server informs the client by adding the following
parameters to the query component of the redirection URI using the
"application/x-www-form-urlencoded" format, per Appendix B:

error
     REQUIRED.  A single ASCII [USASCII] error code from the
     following:

     invalid_request
           The request is missing a required parameter, includes an
           invalid parameter value, includes a parameter more than
           once, or is otherwise malformed.
     unauthorized_client
           The client is not authorized to request an authorization
           code using this method.

     access_denied
           The resource owner or authorization server denied the
           request.

     unsupported_response_type
           The authorization server does not support obtaining an
           authorization code using this method.

     invalid_scope
           The requested scope is invalid, unknown, or malformed.

     server_error
           The authorization server encountered an unexpected
           condition that prevented it from fulfilling the request.
           (This error code is needed because a 500 Internal Server
           Error HTTP status code cannot be returned to the client
           via an HTTP redirect.)

     temporarily_unavailable
           The authorization server is currently unable to handle
           the request due to a temporary overloading or maintenance
           of the server.  (This error code is needed because a 503
           Service Unavailable HTTP status code cannot be returned
           to the client via an HTTP redirect.)

     Values for the "error" parameter MUST NOT include characters
     outside the set %x20-21 / %x23-5B / %x5D-7E.

这篇关于哪些错误应返回给第三方应用程序?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！