IETF Logo Mail Archive

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Marius Scurtescu <mscurtescu@google.com> Thu, 20 May 2010 16:12 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E8B8D3A6935 for <oauth@core3.amsl.com>; Thu, 20 May 2010 09:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.426
X-Spam-Level:
X-Spam-Status: No, score=-104.426 tagged_above=-999 required=5 tests=[AWL=-1.049, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SAKcXJ7IZfzn for <oauth@core3.amsl.com>; Thu, 20 May 2010 09:12:23 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id BEAE43A69F6 for <oauth@ietf.org>; Thu, 20 May 2010 09:12:20 -0700 (PDT)
Received: from wpaz17.hot.corp.google.com (wpaz17.hot.corp.google.com [172.24.198.81]) by smtp-out.google.com with ESMTP id o4KGC9vW002832 for <oauth@ietf.org>; Thu, 20 May 2010 09:12:11 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1274371931; bh=ybUKQjY00S95o3PbyxCZgftMz4c=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=SvcbmohK/hTWqVCniDMxS/fw4FyrGej0fOahKoDoLnXSlW9bDK6PyDNzkbUZukehs B+8TeVo7aBt1N24d96bzw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=IReUYL/NWUG7mHRTiHsxfaBueYoLplq7IKsqcGEvTH/sKLUFEShFam6R4IzJpcbU4 gHrZrWJAR4ElHYYfoeW+Q==
Received: from pxi12 (pxi12.prod.google.com [10.243.27.12]) by wpaz17.hot.corp.google.com with ESMTP id o4KGC8MX013629 for <oauth@ietf.org>; Thu, 20 May 2010 09:12:08 -0700
Received: by pxi12 with SMTP id 12so4421315pxi.14 for <oauth@ietf.org>; Thu, 20 May 2010 09:12:08 -0700 (PDT)
Received: by 10.141.106.11 with SMTP id i11mr185570rvm.242.1274371926548; Thu, 20 May 2010 09:12:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.124.2 with HTTP; Thu, 20 May 2010 09:11:46 -0700 (PDT)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E112637B8285@WSMSG3153V.srv.dir.telstra.com>
References: <ADB082E11CEB5D49A3CC03E49DCECE02378CB8A679@P3PW5EX1MB01.EX1.SECURESERVER.NET> <7C01E631FF4B654FA1E783F1C0265F8C4A42BFCC@TK5EX14MBXC117.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B69895B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimiSqQjOsxDMxFGjIkP3xDQVHge6OJUPu9CYxHf@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B6989D0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <09A6EF98-7406-43D8-9B1C-C16E38CA35D1@gmail.com> <7C01E631FF4B654FA1E783F1C0265F8C4A4312FC@TK5EX14MBXC117.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B699132@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinlwZpM4PBHSR1t1whWR2p38PHq9VpcJw4p77vs@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112637B8285@WSMSG3153V.srv.dir.telstra.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Thu, 20 May 2010 09:11:46 -0700
Message-ID: <AANLkTin6LlrnLNAmubR2ez21ZbukcNv_Ag7jB_oUHDbY@mail.gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2010 16:12:25 -0000

On Wed, May 19, 2010 at 6:33 PM, Manger, James H
<James.H.Manger@team.telstra.com> wrote:
> Marius,
>
>> Only direct responses are JSON, form/url encoded
>> still has to be used:
>> - direct requests
>> - through browser requests
>> - through browser responses
>> - through browser fragment responses
>
> A better solution would be to change the last two (token info delivered in a callback URIs) so a single parameter (in the query or fragment) holds all the token info -- as a base64url-encoded JSON value.

I don't think the last one can be changed, parsing JSON in JavaScript
can be tricky, Evan shows that in his reply. Also Evan points out that
decoding Base64 is yet one more thing, much more complicated than
percent decoding.


> That is more complicated if you are only delivering a single quantity (eg just an access_token). However, the difference diminishes as more and more features are added: expires_in, scope, sites, refresh_token, access_token_secret, realm, auth_scheme, whatever-comes-out-of-OpenID-Connect etc.
>
> A single parameter for token info in callback URIs also reduces the risk of clashing with client-specific parameters in callback URIs as things are added in the future (eg the earlier debate about no oauth_ prefix).

If we could have JSON for all requests and responses, then maybe that
will help. But I guess that's too hackish. If not, then not sure.
Requests have just as many parameters as responses.


> It eliminates the need to force all semantics to fit in a flat key/value model. This can only get harder as features are added, or extensions are supported. The OpenID 2.0 approach of namespaces and parameter name prefixes is not pretty. JSON does not solve this, but its structure helps.
>
> I wouldn't be surprised if, in some scenarios, the token info gets too big to fit in a URI. In that case even the user-agent flow will need to make a direct request to get the token info, which is more likely to be delivered as JSON. OpenID and SAML have found they need this (eg artefact flows).

In this case the user-agent flow becomes the web server flow, which
does this already, no?


Marius

>
>
> Please consider this as an open issue for today's meeting: a single parameter holding a base64url-encode JSON value for packaging token info in a callback URI.
>
> --
> James Manger
>

v2.23.0 | Report a Bug | By Email