IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions

Mike Jones <Michael.Jones@microsoft.com> Fri, 14 October 2011 16:51 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B09521F8A4E for <oauth@ietfa.amsl.com>; Fri, 14 Oct 2011 09:51:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.183
X-Spam-Level:
X-Spam-Status: No, score=-10.183 tagged_above=-999 required=5 tests=[AWL=-0.185, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tsv-t7hB1Q+m for <oauth@ietfa.amsl.com>; Fri, 14 Oct 2011 09:51:47 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 03EE321F8A80 for <oauth@ietf.org>; Fri, 14 Oct 2011 09:51:47 -0700 (PDT)
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (157.54.79.159) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 14 Oct 2011 09:51:23 -0700
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.142]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.01.0339.002; Fri, 14 Oct 2011 09:51:22 -0700
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions
Thread-Index: AcyKh/E84FL2MRLXQ1OcfkfuKXpuHgAANS7QAAIF9KA=
Date: Fri, 14 Oct 2011 16:51:21 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435C23C7BF@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435C23C5A6@TK5EX14MBXC284.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E723452604B8EDD@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723452604B8EDD@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435C23C7BFTK5EX14MBXC284r_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2011 16:51:50 -0000

I am fine with this scope character set restriction also being added to the core spec.

As to your second comment, you'll find that the b64token definition<http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-16#section-2.1> already provides a character set restriction (as you suggest is needed).

                                                            -- Mike

From: Eran Hammer-Lahav [mailto:eran@hueniverse.com]
Sent: Friday, October 14, 2011 8:55 AM
To: Mike Jones; Hannes Tschofenig; OAuth WG
Subject: RE: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions

This is not sufficient.

For scope, if you are going to restrict the allowed characters, you must either specify how to encode all other values to fit the field, or we must move this restriction to the v2 specification so that no encoding is required.

For the token, you need to also define allowed token values so that they will fit in the header without encode, or specify an encoding scheme. The MAC token restricts token values (called MAC identifier) to %x20-21 / %x23-5B / %x5D-7E (any printable ASCII character except for " and \).

EHL


From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org]<mailto:[mailto:oauth-bounces@ietf.org]> On Behalf Of Mike Jones
Sent: Friday, October 14, 2011 8:43 AM
To: Hannes Tschofenig; OAuth WG
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions


Thanks for the useful discussion and the write-up, Hannes.  For context, Hannes and I discussed how to resolve the remaining Bearer spec issues in a manner that meets the needs of implementations and will not generate objections during the IESG or IETF Last Call reviews.  A few additional comments...



1.  Error Description - Nothing to add to Hannes' write-up.



2.  Scope - I was planning to allow a broader set of ASCII characters than the "token" set, as these characters are inadequate for the use of URIs/URLs as scope elements.  In particular, scope elements need to permit the full sets of "reserved" <http://tools.ietf.org/html/rfc3986#section-2.2> and "unreserved" <http://tools.ietf.org/html/rfc3986#section-2.3> characters in RFC 3986<http://tools.ietf.org/html/rfc3986>.  The draft I am working on will say that scope is a space separated set of elements, where the elements consist of one or more characters from the union of the "reserved" and "unreserved" sets.



3.  Authorization Request Header Field - We agreed on the call that we're not doing implementers any favors by allowing both the b64token and #auth-param syntaxes, and that it is better to specify one or the other.  Since existing practice corresponds to the b4token syntax, the choice is clear which to specify.  Thus, it was a mistake to introduce the #auth-param choice in draft 9.  It will be removed in draft 10, which is shortly forthcoming.



                                                            -- Mike



-----Original Message-----
From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org]<mailto:[mailto:oauth-bounces@ietf.org]> On Behalf Of Hannes Tschofenig
Sent: Friday, October 14, 2011 5:25 AM
To: OAuth WG
Subject: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions



Hi all,



I had a discussion with Mike and Julian to hear what to discuss the open issues with the OAuth Bearer Token draft. Below is a short writeup of my impressions.



1. Error Description



The error description field provides information to the software developer and is not meant to be shown to the end user. As such, there is no desire to provide internationalization support for this field. Hence, it has a similar characteristic as the HTTP 'Reason-Phrase.



http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-latest.html#reason.phrase says



"

The Reason Phrase exists for the sole purpose of providing a textual description associated with the numeric status code, out of deference to earlier Internet application protocols that were more frequently used with interactive text clients. A client SHOULD ignore the content of the Reason Phrase.



Reason-Phrase  = *( HTAB / SP / VCHAR / obs-text ) "



We can use something similar for the error description field and even simplify it further by omitting HTAB and obs-text:



  error-desc      = "error_description" "=" *( SP / VCHAR )



2. Scope



The scope field is yet another item that will not be shown to the user and it serves the purpose of an identifier for authorization comparison. So, we don't need to have any internationalization support here either.



The suggestion is to re-use the 'token ABNF syntax from the HTTP spec:

http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-latest.html#rfc.section.3.2.3



3. Authorization Request Header Field



Finally, there is the authorization request header field where we have to decide how we want to deal with extensions.

The current specification says:



  credentials = "Bearer" 1*SP ( b64token / #auth-param )



This means that we can have either a base64 opaque blob or a parameter like syntax (but not both).



An example of the b64token is



Authorization: Bearer vF9dft4qmT



and an example of the auth-param usage is



Authorization: Bearer t=vF9dft4qmT



With an opaque blob extensibility is limited and for this reason, I guess, Mike had provided the additional option of auth-parameter.



If we want to allow extensibility then we have to go for the auth-param approach. If we only use the auth-param (without the b64token) then there may be an issue with already existing implementations. We will have to double-check.



Then, there is the possibility to provide two ways to encode the same information, namely either as a base64 blob and in the auth-parameter style. (In a single protocol run one would obviously only use one or the other.)



If we define the auth-param then we have to also provide information on what it actually is. We cannot leave that out of scope.



Ciao

Hannes



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email