Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
Ned Freed <ned.freed@mrochek.com> Thu, 12 April 2012 21:19 UTC
Return-Path: <ned.freed@mrochek.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7924421F8722 for <apps-discuss@ietfa.amsl.com>; Thu, 12 Apr 2012 14:19:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.295
X-Spam-Level:
X-Spam-Status: No, score=-2.295 tagged_above=-999 required=5 tests=[AWL=0.304, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvzAHzbYIJJc for <apps-discuss@ietfa.amsl.com>; Thu, 12 Apr 2012 14:19:02 -0700 (PDT)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by ietfa.amsl.com (Postfix) with ESMTP id BC9B421F8762 for <apps-discuss@ietf.org>; Thu, 12 Apr 2012 14:19:02 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01OE8FW37PW0001S16@mauve.mrochek.com> for apps-discuss@ietf.org; Thu, 12 Apr 2012 14:19:00 -0700 (PDT)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01OE0NBOM18G00ZUIL@mauve.mrochek.com>; Thu, 12 Apr 2012 14:18:58 -0700 (PDT)
Message-id: <01OE8FW1U53G00ZUIL@mauve.mrochek.com>
Date: Thu, 12 Apr 2012 14:15:49 -0700
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Thu, 12 Apr 2012 00:40:16 -0500" <4F866AC0.3000603@qualcomm.com>
MIME-version: 1.0
Content-type: TEXT/PLAIN; Format="flowed"
References: <4F866AC0.3000603@qualcomm.com>
To: Pete Resnick <presnick@qualcomm.com>
Cc: draft-ietf-oauth-v2-bearer.all@tools.ietf.org, Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2012 21:19:03 -0000
> Folks, > Mark mentioned to me that he did not think one major issue in his review > of this document was fully addressed. I would like to get some feedback > from other folks here on the Apps-discuss list as I cannot say myself > that I fully understand the implications of the issue. > Mike Jones <Michael.Jones@microsoft.com> wrote: > > Mark Nottingham <mnot@mnot.net> wrote: > > > >> * Section 2.3 URI Query Parameter > >> > >> This section effectively reserves a URI query parameter for the > >> draft's use. This should not be done lightly, since this would be a > >> precedent for the IETF encroaching upon a server's URIs (done > >> previously in RFC5785, but in a much more limited fashion, as a > >> tactic to prevent further, uncontrolled encroachment). > >> > >> Given that the draft already discourages the use of this mechanism, > >> I'd recommend dropping it altogether. If the Working Group wishes it > >> to remain, this issues should be vetted both through the APPS area > >> and the W3C liaison. > >> > >> (The same criticism could be leveled at Section 2.2 Form-Encoded Body > >> Parameter, but that at least isn't surfaced in an identifier) > > > > There are some contexts, especially limited browsers and/or > > development environments, where query parameters are usable but the > > other methods are not. Thus, the query parameter method must be > > retained. Also, Justin Richter's comments describing the value to him > > of the query parameter method are pertinent: A URL with all > > parameters including authorization is a powerful artifact which can be > > passed around between systems as a unit. > > > > As to using a standard parameter name, this is essential for > > interoperability. It is not reserved in any contexts other than when > > the Bearer spec is employed, which is a voluntary act by both > > parties. Thus, this poses no undue burdens or namespace restrictions > > on implementations in practice. > > > > Finally, you'll find that OAuth 1.0 [RFC 5849] similarly defined, not > > one, but two standard query parameter values: oauth_token and > > oauth_verifier. As this didn't cause any problems in practice then, > > I'm sure that defining an access_token parameter within the Bearer > > spec for interoperability purposes won't cause a problem either. > Would anyone (including, but not limited to, Mark) be able to better > explain the issue here? Pete, I think the issue is moot at this point. A quick google search clearly shows that this stuff is already deployed by multiple vendors, including use of access_token. As such, it is effectively impossible to change it at this point. I have to say I would have a lot more comfortable with a name like oauth_access_token that removes the possibility of conflict with other uses, but at this point it's a "grin and bear it" situation AFAICT. Ned
- [apps-discuss] Reserved URI query parameter in dr… Pete Resnick
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Julian Reschke
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Carsten Bormann
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… Mike Jones
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Derek Atkins
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Mike Jones
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt