Add interaction_required token-endpoint state and interaction_uri response parameter#49
Open
mcguinness wants to merge 1 commit into
Open
Conversation
DTR-00 uses a single non-terminal pending state, authorization_pending, for any deferred request that has not resolved. This commit adds a second non-terminal state, interaction_required, for the case where the deferred request is waiting on external interaction (manual review, step-up, document presentation, etc.) and a profile or authorization server can usefully signal that to the client. The new state pairs with an interaction_uri response parameter that identifies a location where the external interaction can take place. A client receiving interaction_required SHOULD present the URI to the user (or other external actor) as appropriate. State machine: authorization_pending and interaction_required are both non-terminal pending states; the AS MAY transition between them during the lifetime of a deferred request. Polling continues at the established interval in both states. This bridges to JAG-IR semantics: JAG-IR's interaction_required at the token endpoint, with an interaction URI, is now substrate-level vocabulary rather than a JAG-IR-only addition. IANA actions: - Register interaction_uri in the OAuth Parameters Registry (token response location). - Update the existing interaction_required registration in the OAuth Extensions Error Registry (originally registered by OIDC Core for authorization endpoint use) to add token endpoint response usage. - Add OIDC-CORE to informative references. Source: deltas from draft-mcguinness-oauth-deferred-code-processing \xc2\xa7Deferred Error Semantics and \xc2\xa7Interaction URI Parameter.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #48.
Adds a second non-terminal pending state to the polling state machine, distinguishable from
authorization_pending, for cases where the deferred request is waiting on external interaction. Pairs the new state with aninteraction_uriresponse parameter that identifies where the interaction can take place.What the PR adds
interaction_requirederror code in §5.6 (Token Endpoint — Error Responses), alongside the existingauthorization_pending, with clarifying text that:authorization_pendingis for pending requests not waiting on external interaction.interaction_requiredis for pending requests waiting on external interaction; the response MUST includeinteraction_uri.intervalin both states.interaction_uriresponse parameter documented in §5.4 (Token Endpoint — Deferred Response), defined as OPTIONAL onauthorization_pendingresponses and REQUIRED oninteraction_requiredresponses. The URI MUST be HTTPS, MUST NOT contain a fragment, and is bound to the deferral state.interaction_requiredresponse withinteraction_uri.IANA actions
interaction_uriin the OAuth Parameters Registry (token response location).interaction_requiredregistration in the OAuth Extensions Error Registry (originally registered by OpenID Connect Core for authorization endpoint use) to add token endpoint response usage. Change controller note credits OIDF for the original authorization-endpoint registration and IETF for the token-endpoint addition.Why reuse
interaction_requiredrather than minting a new error nameOpenID Connect already registered the name for the same conceptual condition (external interaction is required). Reusing it preserves cross-spec vocabulary alignment and avoids cluttering the registry. The IANA registration update is the established mechanism for adding response locations to existing error codes.
Files changed
draft-gerber-oauth-deferred-token-response.md: +95/-7 lines. New error code, new parameter, new example, IANA registration update, informative reference addition.Source
Adapted from
§Deferred Error Semanticsand§Interaction URI Parameterindraft-mcguinness-oauth-deferred-code-processing.