[Openid-specs-ab] Issue #1147: certification: RFC6749 MUST for error_description (openid/connect)

josephheenan issues-reply at bitbucket.org
Thu Dec 19 15:09:28 UTC 2019

New issue 1147: certification: RFC6749 MUST for error_description

Joseph Heenan:

The certification team have found an implementation that’s not compliant with RFC6749 text, in particular from [https://tools.ietf.org/html/rfc6749#section-](https://tools.ietf.org/html/rfc6749#section- :

         OPTIONAL.  Human-readable ASCII [USASCII] text providing
         additional information, used to assist the client developer in
         understanding the error that occurred.
         Values for the "error_description" parameter MUST NOT include
         characters outside the set %x20-21 / %x23-5B / %x5D-7E.

It’s been suggested that the certification tests should treat CR, LF, or TAB characters as only a warning, and not a failure, and hence implementations that include CR/LF/TAB in error\_description would be allowed to certify.

The python certification tests do not test this clause, but the FAPI tests do, and so do the in-development java openid connect certification tests.

Input from the working group as to the direction here would be appreciated. I guess one of the questions is whether there are any potential security or interoperability concerns from allowing a wider range of characters than OAuth2 permits.

More information about the Openid-specs-ab mailing list