[Openid-specs-ab] Issue #1048: Correct way to return errors (fragment vs query) in hybrid flow is unclear (openid/connect)
Joseph Heenan
issues-reply at bitbucket.org
Sun Aug 26 14:19:28 UTC 2018
New issue 1048: Correct way to return errors (fragment vs query) in hybrid flow is unclear
https://bitbucket.org/openid/connect/issues/1048/correct-way-to-return-errors-fragment-vs
Joseph Heenan:
I am finding myself repeatedly having a discussion about how to interpret the 'HybridAuthError' clause of OpenID Connect Core - in particular for the case where the error is neither end user denies request nor end user fails authentication.
The spec ( https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthError ) says:
> When using the Hybrid Flow, Authorization Error Responses are made in the same manner as for the Authorization Code Flow, as defined in Section 3.1.2.6, with the exception of the differences specified in this section.
> If the End-User denies the request or the End-User authentication fails, the Authorization Server MUST return the error Authorization Response in the fragment component of the Redirection URI, as defined in 4.2.2.1 of OAuth 2.0 [RFC6749] and OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses], unless a different Response Mode was specified.
I don't believe the exception applies, so section 3.1.2.6 applies - which says:
> When using the Authorization Code Flow, the error response parameters are added to the query component of the Redirection URI, unless a different Response Mode was specified.
So it appears to me that, in a hybrid flow, if a (say) invalid_request error is to be returned to a client, it must be returned in the url query.
"OAuth 2.0 Multiple Response Type Encoding Practices" section 5 ( https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations ) says:
> code id_token
> When supplied as the value for the response_type parameter, a successful response MUST include both an Authorization Code and an id_token. The default Response Mode for this Response Type is the fragment encoding and the query encoding MUST NOT be used. Both successful and error responses SHOULD be returned using the supplied Response Mode, or if none is supplied, using the default Response Mode.
This appears to say that the query shouldn't or must not be used. But I can't find any way to read the OpenID Connect Core spec (as quoted above) in a manner that allows hybrid to return an invalid_request error in the fragment.
More information about the Openid-specs-ab
mailing list