IETF Logo Mail Archive

[OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 14 October 2011 12:25 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BCE421F8B79 for <oauth@ietfa.amsl.com>; Fri, 14 Oct 2011 05:25:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.02
X-Spam-Level:
X-Spam-Status: No, score=-101.02 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0XGEwhd6HueL for <oauth@ietfa.amsl.com>; Fri, 14 Oct 2011 05:25:29 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 2B6AB21F8B49 for <oauth@ietf.org>; Fri, 14 Oct 2011 05:25:28 -0700 (PDT)
Received: (qmail invoked by alias); 14 Oct 2011 12:25:27 -0000
Received: from unknown (EHLO [10.255.132.80]) [192.100.123.77] by mail.gmx.net (mp013) with SMTP; 14 Oct 2011 14:25:27 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1914AkTwmR1FFZedKx9Ad2a/jeys2bXvK1kAGBZcY lST4VO+f8kzRYa
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 14 Oct 2011 15:25:25 +0300
Message-Id: <101476B6-E03C-4188-9DB4-176541FDC0C5@gmx.net>
To: OAuth WG <oauth@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Subject: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2011 12:25:30 -0000

Hi all, 

I had a discussion with Mike and Julian to hear what to discuss the open issues with the OAuth Bearer Token draft. Below is a short writeup of my impressions. 

1. Error Description

The error description field provides information to the software developer and is not meant to be shown to the end user. As such, there is no desire to provide internationalization support for this field. Hence, it has a similar characteristic as the HTTP 'Reason-Phrase. 

http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-latest.html#reason.phrase says

"
The Reason Phrase exists for the sole purpose of providing a textual description associated with the numeric status code, out of deference to earlier Internet application protocols that were more frequently used with interactive text clients. A client SHOULD ignore the content of the Reason Phrase.

 Reason-Phrase  = *( HTAB / SP / VCHAR / obs-text )
"

We can use something similar for the error description field and even simplify it further by omitting HTAB and obs-text:

  error-desc      = "error_description" "=" *( SP / VCHAR )

2. Scope

The scope field is yet another item that will not be shown to the user and it serves the purpose of an identifier for authorization comparison. So, we don't need to have any internationalization support here either. 

The suggestion is to re-use the 'token ABNF syntax from the HTTP spec:
http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-latest.html#rfc.section.3.2.3

3. Authorization Request Header Field

Finally, there is the authorization request header field where we have to decide how we want to deal with extensions. 
The current specification says: 

  credentials = "Bearer" 1*SP ( b64token / #auth-param )

This means that we can have either a base64 opaque blob or a parameter like syntax (but not both). 

An example of the b64token is 

 Authorization: Bearer vF9dft4qmT

and an example of the auth-param usage is

Authorization: Bearer t=vF9dft4qmT

With an opaque blob extensibility is limited and for this reason, I guess, Mike had provided the additional option of auth-parameter. 

If we want to allow extensibility then we have to go for the auth-param approach. If we only use the auth-param (without the b64token) then there may be an issue with already existing implementations. We will have to double-check. 

Then, there is the possibility to provide two ways to encode the same information, namely either as a base64 blob and in the auth-parameter style. (In a single protocol run one would obviously only use one or the other.)

If we define the auth-param then we have to also provide information on what it actually is. We cannot leave that out of scope. 

Ciao
Hannes

v2.23.0 | Report a Bug | By Email