Define successful and error responses for Automatic Registration #82
Conversation
openid-federation-1_0.xml
Outdated
| If the OP fails to establish trust with the RP, it SHOULD use | ||
| appropriate <spanx style="verb">error</spanx> code and | ||
| <spanx style="verb">error_description</spanx> values | ||
| to enable the RP to understand what went wrong. |
There was a problem hiding this comment.
In this comment I explained that failing to establish trust in the caller automatically means that the redirect_uri must not be used, hence an error code cannot be transmitted via the redirect back to the caller.
Since the trust in the caller must be established first before doing anything else that is OIDC / OAuth specific, it makes sense to put this paragraph first.
There was a problem hiding this comment.
It would also help to explain in what contexts the missing_trust_anchor and validation_failed errors apply and can be passed back to the caller, because when the trust establishment fails the redirect_uri must not be used. From this follows that these codes apply to PAR with automatic registration only. They are also useful in explicit registration requests, but currently are not defined for use there.
There was a problem hiding this comment.
This commit says that redirection should not be performed when trust cannot be established. It also says that the new error codes can be used with PAR.
openid-federation-1_0.xml
Outdated
| when using Automatic Registration is the same as the | ||
| successful authentication responses defined in <xref target="OpenID.Core"/>. | ||
| In particular, it is a successful OAuth 2.0 authorization response | ||
| sent via redirection to the Client's redirection URI. |
There was a problem hiding this comment.
sent via redirection -> sent
(a client may choose to use the response_mode=form_post parameter, in which case the response parameters are POSTed to the redirect_uri)
openid-federation-1_0.xml
Outdated
| when using Automatic Registration is the same as the | ||
| error authentication responses defined in <xref target="OpenID.Core"/>. | ||
| In particular, it is an OAuth 2.0 authorization error response | ||
| sent via redirection to the Client's redirection URI, |
There was a problem hiding this comment.
sent via redirection -> sent
openid-federation-1_0.xml
Outdated
| both of which are about reasons trust failed to be established, | ||
| SHOULD only be returned in | ||
| <xref target="RFC9126">Pushed Authorization Request</xref> | ||
| error responses, and not via redirection. |
There was a problem hiding this comment.
and not via redirection -> and not to the Client's redirection URI.
openid-federation-1_0.xml
Outdated
| </t> | ||
| <t> | ||
| If the OP fails to establish trust with the RP, | ||
| it SHOULD consider the redirection URI to be invalid |
There was a problem hiding this comment.
it SHOULD consider the redirection URI to be invalid
->
it MUST treat the redirection URI as invalid
(if the RP is not trusted, there I don't see a good reason to act upon its redirect_uri; I also don't think it's a good idea for an OP to say in the login UI "the RP that initiated is not trusted here, but if you want you can still redirect by clicking here)
There was a problem hiding this comment.
According to @vdzhuvinov suggestions being included, I approve this PR
Fixes #69
Cc: @cicnavi