Add missing IANA registrations #144
Conversation
Sakurann
requested review from
danielfett,
jogu,
paulbastian,
awoie and
bc-pi
Co-authored-by: Kristina <[email protected]>
Co-authored-by: Kristina <[email protected]>
Co-authored-by: Kristina <[email protected]>
Co-authored-by: Kristina <[email protected]>
| ## OAuth Extensions Error Registry | ||
|
|
||
| This specification registers the following error values in the IANA "OAuth Extensions Error Registry" [@!IANA.OAuth.Parameters] established by [@!RFC6749]. | ||
|
|
||
| * Name: invalid_credential_request | ||
| * Usage Location: resource access error response | ||
| * Protocol Extension: OpenID for Verifiable Credentials Issuance | ||
| * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - [email protected] | ||
| * Reference: (#credential-request-errors) of this specification | ||
|
|
||
| * Name: unsupported_credential_type | ||
| * Usage Location: resource access error response | ||
| * Protocol Extension: OpenID for Verifiable Credentials Issuance | ||
| * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - [email protected] | ||
| * Reference: (#credential-request-errors) of this specification | ||
|
|
||
| * Name: unsupported_credential_format | ||
| * Usage Location: resource access error response | ||
| * Protocol Extension: OpenID for Verifiable Credentials Issuance | ||
| * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - [email protected] | ||
| * Reference: (#credential-request-errors) of this specification | ||
|
|
||
| * Name: invalid_proof | ||
| * Usage Location: resource access error response | ||
| * Protocol Extension: OpenID for Verifiable Credentials Issuance | ||
| * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - [email protected] | ||
| * Reference: (#credential-request-errors) of this specification | ||
|
|
||
| * Name: invalid_encryption_parameters | ||
| * Usage Location: resource access error response | ||
| * Protocol Extension: OpenID for Verifiable Credentials Issuance | ||
| * Change controller: OpenID Foundation Digital Credentials Protocols Working Group - [email protected] | ||
| * Reference: (#credential-request-errors) of this specification |
There was a problem hiding this comment.
These are not OAuth errors and therefore don't need to be registered and shouldn't be. see https://datatracker.ietf.org/doc/html/rfc6749#section-7.2
There was a problem hiding this comment.
These are errors defined by a profile of OAuth. Other errors defined by other OAuth profiles are registered. For instance, https://openid.net/specs/openid-connect-core-1_0.html#ErrorContents registered errors defined by the OAuth profile called OpenID Connect. You can see their registrations at https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#extensions-error.
These errors defined by the OAuth profile called OpenID for Verifiable Credential Issuance also should and need to be registered.
There was a problem hiding this comment.
These are errors defined by a profile of OAuth. Other errors defined by other OAuth profiles are registered. For instance, https://openid.net/specs/openid-connect-core-1_0.html#ErrorContents registered errors defined by the OAuth profile called OpenID Connect. You can see their registrations at https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#extensions-error.
Yes but all of those registered OpenID Connect errors are returned from the authorization endpoint using the standard parameter for such. Registration for those makes sense and is one of those prescribed by https://datatracker.ietf.org/doc/html/rfc6749#section-8.5 (note that general protected resource application errors are not).
These errors defined by the OAuth profile called OpenID for Verifiable Credential Issuance also should and need to be registered.
These are errors for the Credential Request endpoint, which is an OAuth protected resource but is not an OAuth endpoint. The only protected resource errors that need registration are "for error values to be shared among OAuth token authentication schemes" (such as Bearer / DPoP) for when a "resource access request fails" https://datatracker.ietf.org/doc/html/rfc6749#section-7.2
The registry is not for general application layer errors from the protected resource.
| * Parameter Name: c_nonce | ||
| * Parameter Usage Location: token response | ||
| * Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - [email protected] | ||
| * Reference: (#token-response) of this specification | ||
|
|
||
| * Parameter Name: c_nonce_expires_in | ||
| * Parameter Usage Location: token response | ||
| * Change Controller: OpenID Foundation Digital Credentials Protocols Working Group - [email protected] | ||
| * Reference: (#token-response) of this specification |
There was a problem hiding this comment.
I would prefer to see these removed (a la #39) but I recognize this is in vain and am just putting something here for posterity.
Accepted Brian's suggestion Co-authored-by: Brian Campbell <[email protected]>
There was a problem hiding this comment.
I double-checked if everything is covered and it looks good. I'm approving because the content seems to be right in general but I'm not an IANA OAuth2 registry expert. So I don't know if we really need to register all of them or whether some of them will just live in this spec.
Fixes #7
Fixes #46