Skip to content

Add interaction_required token-endpoint state and interaction_uri response parameter#49

Open
mcguinness wants to merge 1 commit into
maxwellgerber:mainfrom
mcguinness:issue-48-interaction-required
Open

Add interaction_required token-endpoint state and interaction_uri response parameter#49
mcguinness wants to merge 1 commit into
maxwellgerber:mainfrom
mcguinness:issue-48-interaction-required

Conversation

@mcguinness

Copy link
Copy Markdown

Resolves #48.

Adds a second non-terminal pending state to the polling state machine, distinguishable from authorization_pending, for cases where the deferred request is waiting on external interaction. Pairs the new state with an interaction_uri response parameter that identifies where the interaction can take place.

What the PR adds

  • New interaction_required error code in §5.6 (Token Endpoint — Error Responses), alongside the existing authorization_pending, with clarifying text that:
    • authorization_pending is for pending requests not waiting on external interaction.
    • interaction_required is for pending requests waiting on external interaction; the response MUST include interaction_uri.
    • Both are non-terminal; the AS MAY transition between them in either direction.
    • Polling continues at the established interval in both states.
  • New interaction_uri response parameter documented in §5.4 (Token Endpoint — Deferred Response), defined as OPTIONAL on authorization_pending responses and REQUIRED on interaction_required responses. The URI MUST be HTTPS, MUST NOT contain a fragment, and is bound to the deferral state.
  • Example showing an interaction_required response with interaction_uri.
  • Cross-reference to §interaction-required-error wherever needed.

IANA actions

  • Register interaction_uri in the OAuth Parameters Registry (token response location).
  • Update the existing interaction_required registration in the OAuth Extensions Error Registry (originally registered by OpenID Connect Core for authorization endpoint use) to add token endpoint response usage. Change controller note credits OIDF for the original authorization-endpoint registration and IETF for the token-endpoint addition.
  • Add OIDC-CORE to informative references (used by the registry-update note).

Why reuse interaction_required rather than minting a new error name

OpenID Connect already registered the name for the same conceptual condition (external interaction is required). Reusing it preserves cross-spec vocabulary alignment and avoids cluttering the registry. The IANA registration update is the established mechanism for adding response locations to existing error codes.

Files changed

  • draft-gerber-oauth-deferred-token-response.md: +95/-7 lines. New error code, new parameter, new example, IANA registration update, informative reference addition.

Source

Adapted from §Deferred Error Semantics and §Interaction URI Parameter in draft-mcguinness-oauth-deferred-code-processing.

DTR-00 uses a single non-terminal pending state, authorization_pending,
for any deferred request that has not resolved. This commit adds a
second non-terminal state, interaction_required, for the case where
the deferred request is waiting on external interaction (manual
review, step-up, document presentation, etc.) and a profile or
authorization server can usefully signal that to the client.

The new state pairs with an interaction_uri response parameter that
identifies a location where the external interaction can take place.
A client receiving interaction_required SHOULD present the URI to
the user (or other external actor) as appropriate.

State machine: authorization_pending and interaction_required are both
non-terminal pending states; the AS MAY transition between them
during the lifetime of a deferred request. Polling continues at the
established interval in both states.

This bridges to JAG-IR semantics: JAG-IR's interaction_required at
the token endpoint, with an interaction URI, is now substrate-level
vocabulary rather than a JAG-IR-only addition.

IANA actions:
- Register interaction_uri in the OAuth Parameters Registry (token
  response location).
- Update the existing interaction_required registration in the OAuth
  Extensions Error Registry (originally registered by OIDC Core for
  authorization endpoint use) to add token endpoint response usage.
- Add OIDC-CORE to informative references.

Source: deltas from draft-mcguinness-oauth-deferred-code-processing
\xc2\xa7Deferred Error Semantics and \xc2\xa7Interaction URI Parameter.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add a polling-state vocabulary for "waiting on external interaction"

1 participant