IETF Logo Mail Archive

Re: [OAUTH-WG] Issue 18: defining new response types

Aiden Bell <aiden449@gmail.com> Fri, 15 July 2011 19:42 UTC

Return-Path: <aiden449@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C5E21F8B69 for <oauth@ietfa.amsl.com>; Fri, 15 Jul 2011 12:42:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Level:
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, J_CHICKENPOX_54=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YRK5aoea-cXL for <oauth@ietfa.amsl.com>; Fri, 15 Jul 2011 12:42:20 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by ietfa.amsl.com (Postfix) with ESMTP id 3DEDB21F8B48 for <oauth@ietf.org>; Fri, 15 Jul 2011 12:42:20 -0700 (PDT)
Received: by qyk29 with SMTP id 29so1108981qyk.10 for <oauth@ietf.org>; Fri, 15 Jul 2011 12:42:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=hIDPMHeJOSZMKDn+UgfxFFhkQTeVOsz9QiUMxxC53ew=; b=bgiQVhycn7jbxu5JmYvEqVkIOOIX49VMt0Q8S7rRjklTUEU3kmWwr5ROVALe9zQ/TZ Nc3sMgHU1sXN4U3w6+2QgKwJrsGXRXhvV905P2r6E8HXXWaBWkrpu3DJt8gnGHBaJqQB Q7AYEaeBP0dCRVLVrZBNfYwop9boBEjyX/bCs=
MIME-Version: 1.0
Received: by 10.229.222.19 with SMTP id ie19mr2911383qcb.169.1310758939570; Fri, 15 Jul 2011 12:42:19 -0700 (PDT)
Received: by 10.229.218.1 with HTTP; Fri, 15 Jul 2011 12:42:19 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234501D6E024B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4E1F6AAD24975D4BA5B168042967394348D4BAD0@TK5EX14MBXC201.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E7234501D6E0238@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E1F6AAD24975D4BA5B168042967394348D4BCC4@TK5EX14MBXC201.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E7234501D6E024B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Fri, 15 Jul 2011 20:42:19 +0100
Message-ID: <CA+5SmTXKsRAEqi7mB-rnUESZf8LaAD2xYA4kkuitUG_QTwt0PQ@mail.gmail.com>
From: Aiden Bell <aiden449@gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="0016e650a4f2fab22e04a820d819"
Subject: Re: [OAUTH-WG] Issue 18: defining new response types
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2011 19:42:21 -0000

Hope a reply on this is ok, that i'm not hijacking and what what i'm saying
is relevant here ...

I'm currently implementing OAuth 2.0 middlware for Python/WSGI ...

I think that the natural presumption to want to split the compound response
type on the '+' is the fault of programmer mentality, and I can see why the
argument is being made. I do agree that
http://tools.ietf.org/html/draft-ietf-oauth-v2-18#section-8.4 simplifies
matters greatly regarding ordering and a lack of implementation significance
of the '+' ... but ...

I take the meaning that, if the '+' is for readability, then 'A+B's
behaviour mustn't be dependent on 'A' and 'B' either, and
that the value might as well be "foo" as it is for readability and the
behaviour is as an entirely new type which
requires consultation of the Registered spec (11.3) for an authoritative
answer on how strong the association is.

If the association is **always** strong between 'A','B' and 'A+B' and the
response and future behavior of the values is
tied to their non-compound definition then space delimiting and parsing
seems more natural.

In response to Eran's questions:

1. Do you find the + proposal as defined in -18 to be useful or confusing?
No, not if you don't imply any significance of the value itself and treat it
as its own type, in which
case the '+' token may as well be '_and_'

2. Should the protocol support dynamic composite values with the added
complexity (breaking change)?
Only if each of the composite values is intuatively linked to their
non-compound usage and that the 'for people'
implications of '+' follow through with machine behavior, and you don't need
to register the combination because
of this, though surely there is alot of scope for clashing in Auth response?

... but then again, I liked code_and_token.

---
Thanks and apologies if that was all jibberish or I missed something.
Aiden Bell


On 15 July 2011 18:44, Eran Hammer-Lahav <eran@hueniverse.com> wrote:

> I was only arguing against the proposed text which doesn’t accomplish what
> you want from a normative perspective. I can easily address the use case
> with very short prose but I would like to see more working group discussion
> about it first.****
>
> ** **
>
> Seems like WG members representing three large OAuth implementations
> (Facebook, Google, Microsoft) are very supportive. Does anyone objects to
> making the change to allow space-delimited values in the response_type
> parameter? Once we get consensus on that, I can proceed to offer a proposal.
> The main difficulty is how to deal with errors.****
>
> ** **
>
> EHL****
>
> ** **
>
> *From:* Mike Jones [mailto:Michael.Jones@microsoft.com]
> *Sent:* Friday, July 15, 2011 10:16 AM
> *To:* Eran Hammer-Lahav; oauth@ietf.org
> *Subject:* RE: Issue 18: defining new response types****
>
> ** **
>
> Yes, that’s the intent of the change****
>
> ** **
>
> *From:* Eran Hammer-Lahav [mailto:eran@hueniverse.com]
> *Sent:* Friday, July 15, 2011 10:14 AM
> *To:* Mike Jones; oauth@ietf.org
> *Subject:* RE: Issue 18: defining new response types****
>
> ** **
>
> You can’t have it both way. Either it is a simple string comparison or it
> requires parsing of the string. The current prose is designed to offer a
> visual cue without making any code changes to how response types are
> compared. To allow different orders, we have to turn the value to a parsed
> list.****
>
> ** **
>
> EHL****
>
> ** **
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf
> Of *Mike Jones
> *Sent:* Friday, July 15, 2011 10:02 AM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] Issue 18: defining new response types****
>
> ** **
>
> I agree that this functionality is needed.  However, I believe its current
> embodiment is overly restrictive.  I would suggest changing this text:****
>
> Only one response type of each combination may be registered and used for
> making requests. Composite response types are treated and compared in the
> same as manner as non-composite response types. The "+" notation is meant
> only to improve human readability and is not used for machine parsing. ***
> *
>
> For example, an extension can define and register the token+code response
> type. However, once registered, the same combination cannot be registered as
> code+token, or used to make an authorization request. ****
>
> to this:****
>
> The order of the composite response type values is not significant.  For
> instance, the composite response types token+code and code+token are
> equivalent.  Each composite response type value MUST occur only once. ****
>
>                                                                 Thanks,***
> *
>
>                                                                 -- Mike***
> *
>
> ** **
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
------------------------------------------------------------------
Never send sensitive or private information via email unless it is
encrypted. http://www.gnupg.org

v2.35.0 | Report a Bug | By Email | System Status