[OAUTH-WG] x-www-form-urlencoded

Anthony Nadalin <tonynad@microsoft.com> Sat, 13 August 2011 03:28 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 2C9AE21F856A for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 20:28:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.466
X-Spam-Status: No, score=-7.466 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id uCdx5KFc-zw1 for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2011 20:28:46 -0700 (PDT)
Received: from smtp.microsoft.com (mail3.microsoft.com []) by ietfa.amsl.com (Postfix) with ESMTP id 8B7E921F84F9 for <oauth@ietf.org>; Fri, 12 Aug 2011 20:28:46 -0700 (PDT)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com ( by TK5-EXGWY-E803.partners.extranet.microsoft.com ( with Microsoft SMTP Server (TLS) id; Fri, 12 Aug 2011 20:29:25 -0700
Received: from DB3EHSOBE001.bigfish.com ( by mail.microsoft.com ( with Microsoft SMTP Server (TLS) id 14.1.323.7; Fri, 12 Aug 2011 20:29:24 -0700
Received: from mail16-db3-R.bigfish.com ( by DB3EHSOBE001.bigfish.com ( with Microsoft SMTP Server id; Sat, 13 Aug 2011 03:29:23 +0000
Received: from mail16-db3 (localhost.localdomain []) by mail16-db3-R.bigfish.com (Postfix) with ESMTP id 0B9C8ED8138 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Sat, 13 Aug 2011 03:29:23 +0000 (UTC)
X-SpamScore: 3
X-BigFish: PS3(zzc85fhzz1202h1082kzz8275bh8275dhz31h2a8h668h839h)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:SKI; H:SN2PRD0302HT011.namprd03.prod.outlook.com; R:internal; EFV:INT
Received-SPF: softfail (mail16-db3: transitioning domain of microsoft.com does not designate as permitted sender) client-ip=; envelope-from=tonynad@microsoft.com; helo=SN2PRD0302HT011.namprd03.prod.outlook.com ; .outlook.com ;
Received: from mail16-db3 (localhost.localdomain []) by mail16-db3 (MessageSwitch) id 1313206162823919_24767; Sat, 13 Aug 2011 03:29:22 +0000 (UTC)
Received: from DB3EHSMHS018.bigfish.com (unknown []) by mail16-db3.bigfish.com (Postfix) with ESMTP id C3A6EC88050 for <oauth@ietf.org>; Sat, 13 Aug 2011 03:29:22 +0000 (UTC)
Received: from SN2PRD0302HT011.namprd03.prod.outlook.com ( by DB3EHSMHS018.bigfish.com ( with Microsoft SMTP Server (TLS) id; Sat, 13 Aug 2011 03:29:17 +0000
Received: from SN2PRD0302MB137.namprd03.prod.outlook.com ([]) by SN2PRD0302HT011.namprd03.prod.outlook.com ([]) with mapi id 14.01.0225.064; Sat, 13 Aug 2011 03:29:16 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Thread-Topic: x-www-form-urlencoded
Thread-Index: AcxYUPGtIbsp9lRrSSie2MIJkueB6Q==
Date: Sat, 13 Aug 2011 03:29:15 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E723BABC82@SN2PRD0302MB137.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_B26C1EF377CB694EAB6BDDC8E624B6E723BABC82SN2PRD0302MB137_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: SN2PRD0302HT011.namprd03.prod.outlook.com
X-OriginatorOrg: microsoft.com
X-CrossPremisesHeadersPromoted: TK5EX14MLTC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC103.redmond.corp.microsoft.com
Subject: [OAUTH-WG] x-www-form-urlencoded
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2011 03:28:47 -0000

In the text on the authorization and token endpoints an assumption is made that the query component of the URLs will be specified based on x-www-form-urlencoded. But in fact that is never explicitly stated. What is explicitly stated is that RFC 3986 section 3 has to be used (and then only for the authorization endpoint, not the token endpoint). But section 3 just defines what characters can be used in a query component, it says nothing about x-www-form-urlencoded. Suggest that the specification needs  to normatively state that we are requiring all authorization endpoints that use the query component to do so using x-www-form-urlencoded.  Where RFC 5552 comes into the picture is in cases where the request body is an html form. In that case it makes sense to natively encode the form content using UTF-8. So this only applies to OAuth requests that use the request body. So this would apply to sections 2.4.1, 3.1, 3.2, 4.1.3, 4.3.2 & 4.4.2. Really, anywhere that a request can be made in the request body