IETF Logo Mail Archive

Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON

Dick Hardt <dick.hardt@gmail.com> Sat, 01 May 2010 01:50 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC7703A6C22 for <oauth@core3.amsl.com>; Fri, 30 Apr 2010 18:50:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[AWL=0.152, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lrtHk3P9E4gM for <oauth@core3.amsl.com>; Fri, 30 Apr 2010 18:50:52 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 42FA13A68C3 for <oauth@ietf.org>; Fri, 30 Apr 2010 18:50:52 -0700 (PDT)
Received: by pvg6 with SMTP id 6so471164pvg.31 for <oauth@ietf.org>; Fri, 30 Apr 2010 18:50:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=DKD9OulWGzYvZVVwbQuZhG7vfGlRAjxWGokw4v1iQYg=; b=o3/jSO/sd13+lhFYcYmFBkGB1PEDAz+X2aUxZrrCUq7xwHkmCqK0VLAK6VeHwaSE8b YdE/zmw5nGYUJhEP0ae455QUDhNhVdkOw0iN6xK/pu7kZRlMbo4CYZfJWLIgj8EGHnFh sG8YO22nP96Xgl/xY54pV/iWA9tFqVwC8353k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=r7q+5UosorUs5+4urlurtWjXXqFlt5TcjK24ytbtL4+J2txxdxzJJ3MquLz1KLqGoZ T6IAEGmgjQhAC05ePdBRVDgXlcT8GCnLNF6GsZU1cHRW+3FwrEWDjhEUljMcVSZa4Wfb V2S4uO77EwKSJwAUICcaFcOrEiGPeTfkzFJcY=
Received: by 10.143.132.6 with SMTP id j6mr7294193wfn.278.1272678634400; Fri, 30 Apr 2010 18:50:34 -0700 (PDT)
Received: from [10.0.1.8] (c-67-180-195-167.hsd1.ca.comcast.net [67.180.195.167]) by mx.google.com with ESMTPS id 21sm2415028pzk.4.2010.04.30.18.50.33 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 30 Apr 2010 18:50:33 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="windows-1252"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <4B7104BF-B8C6-4707-B550-215970F82F3E@adobe.com>
Date: Fri, 30 Apr 2010 18:50:32 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <03855D59-834A-4BA3-B7F5-DF6DFE6128C3@gmail.com>
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <20100419134825.134951nuzvi35hk4@webmail.df.eu> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <t2wc334d54e1004200924ja0e7786u9b349a1931098f2a@mail.gmail.com> <l2ofd6741651004201245gdfc6e2a3j10a6e8a3e59f2072@mail.gmail.com> <4B7104BF-B8C6-4707-B550-215970F82F3E@adobe.com>
To: Gaurav Rastogi <grastogi@adobe.com>
X-Mailer: Apple Mail (2.1078)
Cc: "jsmarr@stanfordalumni.org" <jsmarr@stanfordalumni.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 May 2010 01:50:53 -0000

Given how simple the JSON response object would be, I don't think it would be much harder to write a parser than  application/x-www-form-urlencoded.

If the embedded software is going to call Facebook's Open Graph API or many other modern API's, it will need a JSON parser anyway.

-- Dick

On 2010-04-21, at 11:36 AM, Gaurav Rastogi wrote:

> +1 on not requiring JSON exclusively. There are enough number of small embedded software stack where JSON is not an option. 
> 
> On Apr 20, 2010, at 12:45 PM, David Recordon wrote:
> 
>> Having written an implementation last night against the web server
>> flow, I'm worried about adding JSON as a requirement for the response.
>> While it might be easier for environments with JSON libraries, it's
>> drastically more complex for environments (like embedded hardware)
>> which doesn't support JSON. And writing basic form encoded parsing
>> code really isn't that hard – especially if I can do it!
>> 
>> 
>> On Tue, Apr 20, 2010 at 9:24 AM, Joseph Smarr <jsmarr@gmail.com> wrote:
>>> +1 to including JSON format, and perhaps making it the required format. In
>>> my experience helping numerous developers debug their OAuth implementations,
>>> url-encoding/decoding was often a source of bugs, since a) the libraries are
>>> usually hand-built, b) url-encoding is known to be funky/inconsistent wrt +
>>> vs. %20 and other such things, and c) it's very sensitive to things like a
>>> trailing newline at the end of the response, which can easily be tokenized
>>> as part of the the last value (since the normal implementations just split
>>> on & and =). In contrast, I've never heard of any problems parsing JSON, nor
>>> any encoding/decoding bugs related to working with JSON in other APIs
>>> (something I *cannot* say about XML, which is way more finicky about
>>> requiring its values to be properly encoded or escaped in CDATA etc.; I've
>>> also seen way more inconsistency in support of XML parsers and their output
>>> formats, whereas JSON always works exactly the same way and always "just
>>> works").
>>> So in conclusion, url-encoding has caused a lot of pain in OAuth 1.0, and
>>> JSON is already widely supported (presumably including by most APIs that
>>> you're building OAuth support to be able to access!), so I think it would
>>> simplify the spec and increase ease/success of development to use JSON as a
>>> request format. In fact, I think I'd like to push for it to be the
>>> default/required format, given the positive attributes above. Does anyone
>>> object, and if so, why?
>>> Thanks, js
>>> 
>>> On Tue, Apr 20, 2010 at 8:10 AM, Eran Hammer-Lahav <eran@hueniverse.com>
>>> wrote:
>>>> 
>>>> There seems to be support for this idea with some concerns about
>>>> complexity. Someone needs to propose text for this including defining the
>>>> request parameter and schema of the various reply formats.
>>>> 
>>>> EHL
>>>> 
>>>>> -----Original Message-----
>>>>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
>>>>> Sent: Monday, April 19, 2010 4:48 AM
>>>>> To: Eran Hammer-Lahav
>>>>> Cc: Dick Hardt; OAuth WG
>>>>> Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
>>>>> 
>>>>> 
>>>>>> We can also offer both and define a client request parameter (as long
>>>>>> as the server is required to make at least one format available).
>>>>> 
>>>>> +1 on this
>>>>> 
>>>>> regards,
>>>>> Torsten.
>>>>> 
>>>>>> 
>>>>>> EHL
>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>>>>> Behalf Of Dick Hardt
>>>>>>> Sent: Sunday, April 18, 2010 9:30 PM
>>>>>>> To: OAuth WG
>>>>>>> Subject: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
>>>>>>> 
>>>>>>> The AS token endpoint response is encoded as application/x-www-form-
>>>>>>> urlencoded
>>>>>>> 
>>>>>>> While this reuses a well known and understood encoding standard, it
>>>>>>> is uncommon for a client to receive a message encoded like this. Most
>>>>>>> server responses are encoded as XML or JSON. Libraries are NOT
>>>>>>> reedily available to parse application/x-www-form-urlencoded results
>>>>>>> as this is something that is typically done in the web servers
>>>>>>> framework. While parsing the name value pairs and URL un-encoding
>>>>>>> them is not hard, many developers have been caught just splitting the
>>>>> parameters and forgetting to URL decode the token.
>>>>>>> Since the token is opaque and may contain characters that are
>>>>>>> escaped, it is a difficult bug to detect.
>>>>>>> 
>>>>>>> Potential options:
>>>>>>> 
>>>>>>> 1) Do nothing, developers should read the specs and do the right
>>>>>>> thing.
>>>>>>> 
>>>>>>> 2) Require that all parameters are URL safe so that there is no
>>>>>>> encoding issue.
>>>>>>> 
>>>>>>> 3) Return results as JSON, and recommend that parameters be URL safe.
>>>>>>> 
>>>>>>> -- Dick
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.14.0 | Report a Bug | By Email