-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New sections with error scenarios #211
Comments
I suggest putting error numbers/codes into a separate document because the error scenarios/cases are already specified in the OIDF/IETF standards. We can then mark that new document as "informational". If we clarify the standard, then that clarification should go into the profile. But changing the standard(s) should be avoided. Also, we should encourage developers to use (certified) libraries/SDKs. Telcos should not try to implement their own OpenId Providers. |
We have real world examples with existing information that shows we have an issue with different interpretation. Any improvement we make MUST be MANDATORY. The end goal is interoperability. We can NOT have the situation where different operators have different interpretations and as a developer I need to have multiple SDKs and versions of software depending on which operator or aggregator I use. Developers will use different providers in different markets |
Please provide those real world examples. Links to issues where the "interpretation" is discussed would be very welcome. We MUST not create new standards. https://m.xkcd.com/927/ comes to mind. Yes, "improvements" must be mandatory. We are talking about "error scenarios" here but that sentence is true for all "improvements". That is what the Security and Interoperability document is for. IF we find something that needs clarification then we write it down and make it mandatory. We had this discussion before when we created the Security and Interoperability document. We created a concise document that clarifies in a mandatory way just the bits that needed clarification. The alternative was to repeat the standards and put everything into one huge document, where it is hard to find things that differ from the standards and things that follows the standards. If an operator has an interpretation that differs from all other interpretation, then we can probably explain why that interpretation is wrong. If this WG agrees, that there really is a need for a clarification, then we will certainly clarify in a mandatory way without changing the standard. Yes, we can NOT have the situation where different operators have different interpretations. Yes, developers will use different providers in different markets. Luckily we have standards. And all the different providers adhere to the standard and there is no problem. That is the beauty of standards. |
+1 to create a separate doc. |
What is the expected error in a CIBA flow if an authorization server does not support signed requests? If we look at the CIBA specification, there is no mention of an error for this case, and only OAuth2.0 errors are referenced in the Strictly speaking, the error for CIBA would be |
Problem description
In several integrations we have found that, with the existing profile, application developers still have difficulty identifying which errors they will receive in their apps depending on the failure scenario. We know that many scenarios are already conveniently explained in the documentation of the different standards, but we feel that it would be beneficial to have a single place where errors can be consulted at a glance, without having to navigate through different specifications. This would reduce misunderstandings and potential interoperability issues between operators.
Expected action
We believe it would be convenient to have sections in the profile (or in a separate document) that compile the possible errors for each endpoint for the different flows. For instance:
CIBA Token endpoint:
access_denied
Additional context
The text was updated successfully, but these errors were encountered: