IETF Logo Mail Archive

Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer

Mike Jones <Michael.Jones@microsoft.com> Sat, 10 March 2012 17:49 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18D7321F8581 for <oauth@ietfa.amsl.com>; Sat, 10 Mar 2012 09:49:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.758
X-Spam-Level:
X-Spam-Status: No, score=-3.758 tagged_above=-999 required=5 tests=[AWL=-0.160, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t2V2oB0kxnkt for <oauth@ietfa.amsl.com>; Sat, 10 Mar 2012 09:49:53 -0800 (PST)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe002.messaging.microsoft.com [216.32.181.182]) by ietfa.amsl.com (Postfix) with ESMTP id 2D17E21F857A for <oauth@ietf.org>; Sat, 10 Mar 2012 09:49:53 -0800 (PST)
Received: from mail125-ch1-R.bigfish.com (10.43.68.249) by CH1EHSOBE011.bigfish.com (10.43.70.61) with Microsoft SMTP Server id 14.1.225.23; Sat, 10 Mar 2012 17:49:52 +0000
Received: from mail125-ch1 (localhost [127.0.0.1]) by mail125-ch1-R.bigfish.com (Postfix) with ESMTP id 6DA5C1E0174; Sat, 10 Mar 2012 17:49:52 +0000 (UTC)
X-SpamScore: -39
X-BigFish: VS-39(zzbb2dI9371I1458K542Mc85dh1418M98dK4015Izz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail125-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail125-ch1 (localhost.localdomain [127.0.0.1]) by mail125-ch1 (MessageSwitch) id 1331401790391512_26324; Sat, 10 Mar 2012 17:49:50 +0000 (UTC)
Received: from CH1EHSMHS027.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.253]) by mail125-ch1.bigfish.com (Postfix) with ESMTP id 5B4D660049; Sat, 10 Mar 2012 17:49:50 +0000 (UTC)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS027.bigfish.com (10.43.70.27) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sat, 10 Mar 2012 17:49:49 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.237]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.02.0283.004; Sat, 10 Mar 2012 17:49:48 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Paul Madsen <paul.madsen@gmail.com>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer
Thread-Index: Acz+5iVDrCTPgxV5SN6Lz5LGZyUUHQ==
Date: Sat, 10 Mar 2012 17:49:47 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366402261@TK5EX14MBXC284.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394366402261TK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Mar 2012 17:49:58 -0000

I plan to make the change to the example access token value to mF_9.B5f-4.1JqM before Monday's submission deadline, per the requests for b64token syntax clarification.  I'm also considering adding an access token response example, pre the requests in this thread.  I would propose adding the following new text for this in a new Section 4 (before the current Security Considerations).  This is largely parallel to what is done in Section 5.1 of the MAC spec.

4.  Example Access Token Response

Typically a bearer token is returned to the client as part of an OAuth 2.0 [I-D.ietf-oauth-v2] access token response. An example of such as response is:


     HTTP/1.1 200 OK

     Content-Type: application/json;charset=UTF-8

     Cache-Control: no-store

     Pragma: no-cache



     {

       "access_token":"mF_9.B5f-4.1JqM",

       "token_type":"Bearer",

       "expires_in":3600,

       "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"

     }

Please send either +1s or objections to this text by mid-day Monday.  Unless I receive several +1s, to be conservative at this point, I will not be including it in Monday's draft.

                                                            -- Mike

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Paul Madsen
Sent: Wednesday, March 07, 2012 1:34 PM
To: Brian Campbell
Cc: oauth
Subject: Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer

+1

On 3/7/12 4:08 PM, Brian Campbell wrote:

Yeah, it is case insensitive. I just went with the upper case B

because that's how it was written in §5.1.1 of

draft-ietf-oauth-v2-bearer-17* which is where I guess it's actually

defined. But I see draft-ietf-oauth-v2-23 uses a lower case b**.

Either one would be fine.



I agree that an example response from the token endpoint would be

worthwhile.  Something like the following might help tie together with

the Authorization header example (proposed earlier). It could maybe be

worked in near the top of §2?



     HTTP/1.1 200 OK

     Content-Type: application/json;charset=UTF-8

     Cache-Control: no-store

     Pragma: no-cache



     {

       "access_token":"vF_9.5dCf-t4.qbcmT_k1b",

       "token_type":"example",

       "expires_in":3600,

       "refresh_token":"stGzv3xOdkF0X35Qp2TlKWIA",

     }



It'd probably make sense to change the examples in the body §2.2***

and query §2.3**** to use the same access token value too.





* http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-5.1.1

** http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-7.1

*** http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.2

**** http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.3





On Wed, Mar 7, 2012 at 12:00 PM, Justin Richer <jricher@mitre.org><mailto:jricher@mitre.org> wrote:

Makes sense to me, except that I think the token_type value is typically

lowercase "bearer", though it's defined to be case insensitive in

Oauth-v2-23 section 5.1. Come to think of it, I'm not sure that the value of

this field for the Bearer token type ever got defined anywhere. Section 7.1

references the bearer spec as defining the value of the "token_type"

parameter, and passes its example as if by reference. Would be worthwhile

giving an example of a token endpoint response, such as what's found in

OAuth-v2-23 section 5.1.



 -- Justin





On 03/07/2012 12:16 PM, Brian Campbell wrote:



I'd like to propose the following changes and additions, derived

largely from Bill and James suggestions, to

draft-ietf-oauth-v2-bearer-17.  These changes have no normative impact

and only aim to add additional clarity and explanation the workings

and implications of the current spec.  I'm definitely open to changes

or improvements in the wording here (not my strong suit by any means)

but I think it's important that these general ideas be conveyed in the

draft.





==>  Insert the following text at the beginning of §2:



To make a protected resource request, the client must be in possession

of a valid bearer token. Typically a bearer token is returned to the

client as part of an access token response as defined in OAuth 2.0

[I-D.ietf-oauth-v2]. When the "token_type" parameter of the access

token response is "Bearer", the string value of the "access_token"

parameter becomes the bearer access token used to make protected

resource requests.



==>  Change the value of the token in the Authorization header example to

this:



Authorization: Bearer vF_9.5dCf-t4.qbcmT_k1b



==>  Insert the following text before the last paragraph of §2.1:



Note that the name b64token does not imply base64 encoding but rather

is the name for an ABNF syntax definition from HTTP/1.1, Part 7

[I-D.ietf-httpbis-p7-auth]. Because of its use, the "access_token"

string value from an access token response MUST match the b64token

ABNF so it can be used with the Bearer HTTP scheme.





Thanks,

Brian









On Tue, Mar 6, 2012 at 11:45 AM, William Mills<wmills@yahoo-inc.com><mailto:wmills@yahoo-inc.com>

 wrote:



Yeah, something as simple as, "Note that the name 'b64token' does not

imply

base64 encoding, see the definition in [[INSERT REFERENCE HERE]]." would

do

it.



-bill



________________________________

From: Brian Campbell<bcampbell@pingidentity.com><mailto:bcampbell@pingidentity.com>

To: Mike Jones<Michael.Jones@microsoft.com><mailto:Michael.Jones@microsoft.com>

Cc: oauth<oauth@ietf.org><mailto:oauth@ietf.org>

Sent: Tuesday, March 6, 2012 8:23 AM



Subject: Re: [OAUTH-WG] question about the b64token syntax in

draft-ietf-oauth-v2-bearer



Thanks Mike, I think changing the example would be helpful.



However I think that including some text along the lines of what James

suggested would also be very valuable. I agree that the connection

between OAuth and Bearer could and should be made more explicit. And

that the implications of the b64token syntax, particularly on what AS

can use to construct ATs, could/should be made more clear.



I can propose some specific text (building on James') if others in the WG

agree?





On Mon, Mar 5, 2012 at 5:32 PM, Mike Jones<Michael.Jones@microsoft.com><mailto:Michael.Jones@microsoft.com>

wrote:



I'm fine with changing the example to make it clearer that b64token

allows

a wider range of characters than just those legal for base64 and

base64url

encodings of data values.



I'll add it to my to-do list for any additional edits for the Bearer

spec.



                               -- Mike



-----Original Message-----

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org] On Behalf

Of

Manger, James H

Sent: Monday, March 05, 2012 3:33 PM

To: Brian Campbell; oauth

Subject: Re: [OAUTH-WG] question about the b64token syntax in

draft-ietf-oauth-v2-bearer



Brian,



On casual reading of "The OAuth 2.0 Authorization Protocol: Bearer

Tokens"* I've encountered several people (including myself) who have

made the assumption that the name b64token implies that some kind of

base64 encoding/decoding on the access token is taking place between

the client and RS.



Digging a bit deeper in to "HTTP/1.1, part 7: Authentication"**,

however, I see that b64token is just an ABNF syntax definition

allowing for characters typically used in base64, base64url, etc.. So

the b64token doesn't define any encoding or decoding but rather just

defines what characters can be used in the part of the Authorization

header that will contain the access token.



Do I read this correctly?



Yes.



If so, I feel like some additional clarifying text in the Bearer

Tokens draft might help avoid what is (based on my small sample) a

common point of misunderstanding.



Changing the example bearer token should be a simple way to avoid some

confusion by showing that it does not have to be base64 encoding. How

about

changing:

 Authorization: Bearer vF9dft4qmT

to

 Authorization: Bearer vF9.dft4.qmT



The Bearer spec has lots of (unnecessary) text about OAuth, but doesn't

quite manage to be precise about how OAuth and Bearer connect. It could

explicitly state that the string value of the "access_token" member of

an

access token response is the bearer token. The "access_token" string

value

(after unescaping any JSON-escapes) MUST match the b64token ABNF so it

can

be used with the Bearer HTTP scheme. Such text could be put in §5.1.1

where

the "Bearer" OAuth access token type is defined.





Also, does the use of b64token implicitly limit the allowed characters

that an AS can use to construct a bearer access token?



Yes.





* http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.1

**

http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-18#section-2.1



--

James Manger

_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth





_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth





_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth





_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email