IETF Logo Mail Archive

Re: [OAUTH-WG] Issue: prefixing parameters with oauth_

Luke Shepard <lshepard@facebook.com> Tue, 20 April 2010 17:05 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B235228C1B9 for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 10:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.062
X-Spam-Level:
X-Spam-Status: No, score=-3.062 tagged_above=-999 required=5 tests=[AWL=0.202, BAYES_00=-2.599, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tyYB2jhjEXFS for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 10:04:54 -0700 (PDT)
Received: from mailout-snc1.facebook.com (mailout-snc1.facebook.com [69.63.179.25]) by core3.amsl.com (Postfix) with ESMTP id 283CF28C13E for <oauth@ietf.org>; Tue, 20 Apr 2010 10:04:22 -0700 (PDT)
Received: from mail.thefacebook.com ([192.168.18.198]) by pp01.snc1.tfbnw.net (8.14.3/8.14.3) with ESMTP id o3KH3q0u024028 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 20 Apr 2010 10:03:52 -0700
Received: from sc-hub06.TheFacebook.com (192.168.18.83) by sc-hub03.TheFacebook.com (192.168.18.198) with Microsoft SMTP Server (TLS) id 14.0.689.0; Tue, 20 Apr 2010 10:04:09 -0700
Received: from SC-MBXC1.TheFacebook.com ([192.168.18.102]) by sc-hub06.TheFacebook.com ([192.168.18.83]) with mapi; Tue, 20 Apr 2010 10:04:09 -0700
From: Luke Shepard <lshepard@facebook.com>
To: "jsmarr@stanfordalumni.org" <jsmarr@stanfordalumni.org>, Eran Hammer-Lahav <eran@hueniverse.com>
Date: Tue, 20 Apr 2010 10:04:06 -0700
Thread-Topic: [OAUTH-WG] Issue: prefixing parameters with oauth_
Thread-Index: Acrgo8rSKoVZCpVbQYe3E4TET4pH9AAB34jg
Message-ID: <2513A610118CC14C8E622C376C8DEC93D54D66DEC0@SC-MBXC1.TheFacebook.com>
References: <14411661-A227-4DCA-86B3-A9C5FB8055D7@gmail.com> <4BCD31BF.5090701@stpeter.im> <0420973C-FE87-4969-9986-889173D74342@jkemp.net> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F44B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <w2sc334d54e1004200908j99461f8egc1d19e90f2eb87c6@mail.gmail.com>
In-Reply-To: <w2sc334d54e1004200908j99461f8egc1d19e90f2eb87c6@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_2513A610118CC14C8E622C376C8DEC93D54D66DEC0SCMBXC1TheFac_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-04-20_07:2010-02-06, 2010-04-20, 2010-04-20 signatures=0
Cc: Marius Scurtescu <marius.scurtescu@gmail.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue: prefixing parameters with oauth_
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 17:05:00 -0000

I know we are all identity geeks and love to know the protocol we're using, but most developers will just want to get the auth token and be done with it. They don't care that they are using OAuth. There's no reason to beat them over the head with it all over the place.

Having just implemented this, and now writing docs for it, I can say that I have a pretty strong preference for no prefix. It makes things so much easier to read.


From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Joseph Smarr
Sent: Tuesday, April 20, 2010 9:08 AM
To: Eran Hammer-Lahav
Cc: Marius Scurtescu; OAuth WG
Subject: Re: [OAUTH-WG] Issue: prefixing parameters with oauth_

I'm normally no fan of namespaces or other forms of needless complexity, and it's true that PoCo dropped the pdata_ prefixes to all its query parameters that we'd originally proposed, but I do think there's something helpful and and clear about oauth_ because it makes it so clear which parameters are part of OAuth--it's visually concise and readable, without the mechanical headaches of say XML namespaces. I'll agree that we can probably all learn to live without it (assuming collisions are empirically rare and there isn't code that needs to easily glob "all oauth parameters, including any future ones", e.g. the way OpenID does for signing), but I still feel a bit queasy doing so, and it's not obvious to me how much simplicity/performance/etc we buy for dropping them, so my (weak) preference would be to keep them, but I won't fight too hard if there are lots of people passionate about dropping them. :)

Thanks, js
On Tue, Apr 20, 2010 at 7:55 AM, Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote:


> -----Original Message-----
> From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>] On Behalf
> Of John Kemp
> Sent: Tuesday, April 20, 2010 3:38 AM
> To: Peter Saint-Andre
> Cc: Marius Scurtescu; OAuth WG
> Subject: Re: [OAUTH-WG] Issue: prefixing parameters with oauth_
>
> On Apr 20, 2010, at 12:46 AM, Peter Saint-Andre wrote:
>
> > On 4/18/10 6:46 PM, Dick Hardt wrote:
> >
> >> Given the practice that the authorization endpoint and the
> >> redirect_uri can contain URI query parameters, then differentiating
> >> between application specific query parameters and OAuth protocol
> >> parameters by prefixing the OAuth parameters with oauth_ would seem
> a
> >> useful way to minimize conflicts.
> >
> > Can't application developers avoid conflicts by giving their
> > parameters names other than those already used in OAuth?
>
> Is every application developer (those using an OAuth library, or product)
> familiar with the names that are used in the OAuth spec?
First, the must be or how else would they interact with it or support their developers. If they are installing a client and server products, their vendor should make sure to provide a fully working solution.

The OAuth flow endpoints (as opposed to protected resource endpoints) are an *application* endpoint. This is not some add-on protocol or an extension of existing framework, or a hack. This is a fully specified application API which requires and deserves treatment like a separate, standalone application. This is not the case when accessing a protected resource which belongs to another application.

It is odd to me that none of these arguments are made for other application APIs such as Portable Contacts [1], Open Social [2], and others, all meant to be implemented within the same platforms and servers as the OAuth flow endpoints. OpenSocial for example, is implemented by a wide range of different platforms, but yet does not have an opensocial_ prefix. Are there reports of conflicts and deployment problems because of that?

The argument made for a prefix is that is *seems* to be useful. However, experience seems to point the other way that a lack of prefix does not break the web. If "seems to be useful" is the bar this working group is setting, we are going to end up with a much bigger, more complex specification.

EHL

[1] http://portablecontacts.net/draft-spec.html
[2] http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/restful-protocol.html
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email