Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10

Julian Reschke <julian.reschke@gmx.de> Thu, 20 October 2011 15:46 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8070121F8C59 for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 08:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.062
X-Spam-Level:
X-Spam-Status: No, score=-103.062 tagged_above=-999 required=5 tests=[AWL=-0.462, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gYJDD5qp-3oI for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 08:46:34 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 915BE21F8B86 for <oauth@ietf.org>; Thu, 20 Oct 2011 08:46:27 -0700 (PDT)
Received: (qmail invoked by alias); 20 Oct 2011 15:46:26 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp002) with SMTP; 20 Oct 2011 17:46:26 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18Rgd092UMRUbMBebmIv/Edt9U4vSvpIcLFNWw51G y6u3ewYp1GkWw0
Message-ID: <4EA0424E.8000604@gmx.de>
Date: Thu, 20 Oct 2011 17:46:22 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435C24B1CA@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E9FC9FA.8030001@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C24CAE6@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E9FCFA4.7050706@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C24CBB6@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E9FD642.9070100@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C24D2C4@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435C24D2C4@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2011 15:46:35 -0000

On 2011-10-20 17:33, Mike Jones wrote:
> By design, implementations can use existing quoted-string parsers, as these accept and correctly process all legal scope values.
>
> The spec is silent on what to do with illegal values, such as those containing \ or those not surrounded by ".  Conforming implementations will not produce such values, and so there's no actual problem in practice, whether you use an off-the-shelf parameter parser or one specific to the Bearer scheme.
> ...

Conforming implementations can produce WWW-Authenticate header fields 
containing quoted-strings containing escapes. This is under the 
jurisdiction of the HTTP spec, not the OAuth spec.

OAuth can profile the legal values *just* for the OAuth scheme, but 
consumers will still need to be able to process a header field that 
contains multiple challenges from schemes != OAuth, and to do so, they 
*have* to use a proper parser.

Consider the following challenge:

	WWW-Authenticate: foo realm="x", title="my \"test\" site", oauth realm="y"

A component that handles WWW-Authenticate absolutely has to rely on 
predictable syntax for quoted strings. It doesn't make any sense to 
special-case OAuth params just because escaping isn't needed. This makes 
things harder and more likely to fail, not simpler.

Best regards, Julian