IETF Logo Mail Archive

Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON

Joseph Smarr <jsmarr@gmail.com> Tue, 20 April 2010 21:19 UTC

Return-Path: <jsmarr@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A66B28C217 for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 14:19:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FpDjahHe8k6g for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 14:19:34 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id E5A9228C1FE for <oauth@ietf.org>; Tue, 20 Apr 2010 14:18:07 -0700 (PDT)
Received: by pvf33 with SMTP id 33so4373587pvf.31 for <oauth@ietf.org>; Tue, 20 Apr 2010 14:17:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:in-reply-to :references:from:date:received:message-id:subject:to:cc:content-type; bh=gQNPOCZoYC6pM18obawacCaP+OORc3dEXTvXctj4Nvs=; b=AIdiBsCh3YubD6gJE9k9/Bmv/cVxJlSLg3s8Q6DVi3hdabbCmPjRe2uLQ/F34aC/iQ 8pWYLSqt2ZlnDsOfsbRLVWlej/VnBTlIQkqhanrX7BC5a9QHddx/6Yc9vy5xGftMQknL LWe8M/IHqZUGsp+GhZXCEU8Gsf93rhcSL/JKY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; b=EHGO78ltmWwzTJR61vnaPJaU9Z0+zvKrWn/KjtcY9HsZdJXOeTS/ARJK1bQGmtHsiH oW0L9fgEXQTMyVaqCa8Wa0ezejK6LdJjICBFtRODNgdFVxF3vaS1i4aQzbCOU2CvUKbY ovl9uxyBaYTXdjdVXLrolSpCIbHLECPuoQFMo=
MIME-Version: 1.0
Received: by 10.143.164.14 with HTTP; Tue, 20 Apr 2010 14:17:36 -0700 (PDT)
In-Reply-To: <1271793363.20679.6.camel@Dynamo>
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <20100419134825.134951nuzvi35hk4@webmail.df.eu> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <t2wc334d54e1004200924ja0e7786u9b349a1931098f2a@mail.gmail.com> <l2ofd6741651004201245gdfc6e2a3j10a6e8a3e59f2072@mail.gmail.com> <1271793363.20679.6.camel@Dynamo>
From: Joseph Smarr <jsmarr@gmail.com>
Date: Tue, 20 Apr 2010 14:17:36 -0700
Received: by 10.142.3.35 with SMTP id 35mr3259791wfc.74.1271798276086; Tue, 20 Apr 2010 14:17:56 -0700 (PDT)
Message-ID: <j2wc334d54e1004201417s1bbcc025r76fdb607295f384c@mail.gmail.com>
To: "Paul C. Bryan" <email@pbryan.net>
Content-Type: multipart/alternative; boundary="00504502c10d78e6e60484b19c0c"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: jsmarr@stanfordalumni.org
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 21:19:37 -0000

On the one hand, I'm sympathetic to the "easy to write a parser yourself"
argument for url-encoding, since in general I think you want to minimize any
toolchain/library requirements to maximize adoption. On the other hand, I'd
argue that OAuth 1.0 has shows url-encoding to be "deceptively easy" to
implement yourself, plus there are *fewer* easy/good parsing libraries
available, and that leads more developers to try and hand-code parsers that
actually contain bugs.

Now David, I'm sure your implementation has no bugs, but lots of "official
OAuth libraries" did have bugs in their parsers, whereas JSON does have
widely available, high-quality support, and it's just complex enough that
you're not tempted to try and write a (buggy) version yourself, yet not so
painful that it would be unthinkable to do so (compared to, say, a compliant
XML parser).

Thanks, js

On Tue, Apr 20, 2010 at 12:56 PM, Paul C. Bryan <email@pbryan.net> wrote:

> I'm struggling to imagine hardware that on the one hand would support
> OAuth, but on the other would be incapable of supporting JSON...
>
> -----Original Message-----
> From: David Recordon <recordond@gmail.com>
> To: jsmarr@stanfordalumni.org
> Cc: OAuth WG <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
> Date: Tue, 20 Apr 2010 12:45:05 -0700
>
> Having written an implementation last night against the web server
> flow, I'm worried about adding JSON as a requirement for the response.
> While it might be easier for environments with JSON libraries, it's
> drastically more complex for environments (like embedded hardware)
> which doesn't support JSON. And writing basic form encoded parsing
> code really isn't that hard – especially if I can do it!
>
>
> On Tue, Apr 20, 2010 at 9:24 AM, Joseph Smarr <jsmarr@gmail.com> wrote:
> > +1 to including JSON format, and perhaps making it the required format.
> In
> > my experience helping numerous developers debug their OAuth
> implementations,
> > url-encoding/decoding was often a source of bugs, since a) the libraries
> are
> > usually hand-built, b) url-encoding is known to be funky/inconsistent wrt
> +
> > vs. %20 and other such things, and c) it's very sensitive to things like
> a
> > trailing newline at the end of the response, which can easily be
> tokenized
> > as part of the the last value (since the normal implementations just
> split
> > on & and =). In contrast, I've never heard of any problems parsing JSON,
> nor
> > any encoding/decoding bugs related to working with JSON in other APIs
> > (something I *cannot* say about XML, which is way more finicky about
> > requiring its values to be properly encoded or escaped in CDATA etc.;
> I've
> > also seen way more inconsistency in support of XML parsers and their
> output
> > formats, whereas JSON always works exactly the same way and always "just
> > works").
> > So in conclusion, url-encoding has caused a lot of pain in OAuth 1.0, and
> > JSON is already widely supported (presumably including by most APIs that
> > you're building OAuth support to be able to access!), so I think it would
> > simplify the spec and increase ease/success of development to use JSON as
> a
> > request format. In fact, I think I'd like to push for it to be the
> > default/required format, given the positive attributes above. Does anyone
> > object, and if so, why?
> > Thanks, js
> >
> > On Tue, Apr 20, 2010 at 8:10 AM, Eran Hammer-Lahav <eran@hueniverse.com>
> > wrote:
> >>
> >> There seems to be support for this idea with some concerns about
> >> complexity. Someone needs to propose text for this including defining
> the
> >> request parameter and schema of the various reply formats.
> >>
> >> EHL
> >>
> >> > -----Original Message-----
> >> > From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
> >> > Sent: Monday, April 19, 2010 4:48 AM
> >> > To: Eran Hammer-Lahav
> >> > Cc: Dick Hardt; OAuth WG
> >> > Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
> >> >
> >> >
> >> > > We can also offer both and define a client request parameter (as
> long
> >> > > as the server is required to make at least one format available).
> >> >
> >> > +1 on this
> >> >
> >> > regards,
> >> > Torsten.
> >> >
> >> > >
> >> > > EHL
> >> > >
> >> > >> -----Original Message-----
> >> > >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> >> > >> Behalf Of Dick Hardt
> >> > >> Sent: Sunday, April 18, 2010 9:30 PM
> >> > >> To: OAuth WG
> >> > >> Subject: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
> >> > >>
> >> > >> The AS token endpoint response is encoded as
> application/x-www-form-
> >> > >> urlencoded
> >> > >>
> >> > >> While this reuses a well known and understood encoding standard, it
> >> > >> is uncommon for a client to receive a message encoded like this.
> Most
> >> > >> server responses are encoded as XML or JSON. Libraries are NOT
> >> > >> reedily available to parse application/x-www-form-urlencoded
> results
> >> > >> as this is something that is typically done in the web servers
> >> > >> framework. While parsing the name value pairs and URL un-encoding
> >> > >> them is not hard, many developers have been caught just splitting
> the
> >> > parameters and forgetting to URL decode the token.
> >> > >> Since the token is opaque and may contain characters that are
> >> > >> escaped, it is a difficult bug to detect.
> >> > >>
> >> > >> Potential options:
> >> > >>
> >> > >> 1) Do nothing, developers should read the specs and do the right
> >> > >> thing.
> >> > >>
> >> > >> 2) Require that all parameters are URL safe so that there is no
> >> > >> encoding issue.
> >> > >>
> >> > >> 3) Return results as JSON, and recommend that parameters be URL
> safe.
> >> > >>
> >> > >> -- Dick
> >> > >> _______________________________________________
> >> > >> OAuth mailing list
> >> > >> OAuth@ietf.org
> >> > >> https://www.ietf.org/mailman/listinfo/oauth
> >> > > _______________________________________________
> >> > > OAuth mailing list
> >> > > OAuth@ietf.org
> >> > > https://www.ietf.org/mailman/listinfo/oauth
> >> > >
> >> >
> >> >
> >> >
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> >
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email