[Openid-specs-ab] Issue #1147: certification: RFC6749 MUST for error_description (openid/connect)
issues-reply at bitbucket.org
Thu Dec 19 15:09:28 UTC 2019
New issue 1147: certification: RFC6749 MUST for error_description
The certification team have found an implementation that’s not compliant with RFC6749 text, in particular from [https://tools.ietf.org/html/rfc6749#section-184.108.40.206](https://tools.ietf.org/html/rfc6749#section-220.127.116.11) :
OPTIONAL. Human-readable ASCII [USASCII] text providing
additional information, used to assist the client developer in
understanding the error that occurred.
Values for the "error_description" parameter MUST NOT include
characters outside the set %x20-21 / %x23-5B / %x5D-7E.
It’s been suggested that the certification tests should treat CR, LF, or TAB characters as only a warning, and not a failure, and hence implementations that include CR/LF/TAB in error\_description would be allowed to certify.
The python certification tests do not test this clause, but the FAPI tests do, and so do the in-development java openid connect certification tests.
Input from the working group as to the direction here would be appreciated. I guess one of the questions is whether there are any potential security or interoperability concerns from allowing a wider range of characters than OAuth2 permits.
More information about the Openid-specs-ab