IETF Logo Mail Archive

Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON

Joseph Smarr <jsmarr@gmail.com> Tue, 20 April 2010 16:25 UTC

Return-Path: <jsmarr@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 691683A699D for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 09:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RuSh+y1YWSzR for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 09:25:26 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 9DAF93A69E7 for <oauth@ietf.org>; Tue, 20 Apr 2010 09:25:21 -0700 (PDT)
Received: by pvf33 with SMTP id 33so4095797pvf.31 for <oauth@ietf.org>; Tue, 20 Apr 2010 09:25:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:in-reply-to :references:from:date:received:message-id:subject:to:cc:content-type; bh=LT1YHE5VjVAcAG4JEjVGRDETG1fYXX0EzgjgcMnZ//Y=; b=U23m7e/W58/z3KQyhKiDNgGDWxEHPyIhxFaBJKBPohHwEXdhBLmDFhV6/LJC3+eIrQ meq9riqOWvmjumTHf7jTpP+hVMy90gigGhvxNXwe18EdWZ3of1UbfbG80F//ogR79ssp 4nGEkUfhw2F7WbI/9Wv4z2j4xgUJCcMq24iiU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; b=SbU+6zHSlNL+PoXiTI3WGEvH+HUcaG5FLfQMFK9LVFNXht2y2H8IsLqPiqilu8aYw5 z0X9iD7Atk0QhzJY3a3gGsBOovt7x4y9hxKj3YrET2AwP/57wXC58vQt7SMyn2zjGEUJ Z2ADIlh4jzmULgJ1d5eBvSX4gCrxSsZao2jnw=
MIME-Version: 1.0
Received: by 10.143.164.14 with HTTP; Tue, 20 Apr 2010 09:24:50 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <20100419134825.134951nuzvi35hk4@webmail.df.eu> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Joseph Smarr <jsmarr@gmail.com>
Date: Tue, 20 Apr 2010 09:24:50 -0700
Received: by 10.142.67.30 with SMTP id p30mr3046790wfa.154.1271780710183; Tue, 20 Apr 2010 09:25:10 -0700 (PDT)
Message-ID: <t2wc334d54e1004200924ja0e7786u9b349a1931098f2a@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="001636e0a5e97673ba0484ad85d4"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: jsmarr@stanfordalumni.org
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 16:25:28 -0000

+1 to including JSON format, and perhaps making it the required format. In
my experience helping numerous developers debug their OAuth implementations,
url-encoding/decoding was often a source of bugs, since a) the libraries are
usually hand-built, b) url-encoding is known to be funky/inconsistent wrt +
vs. %20 and other such things, and c) it's very sensitive to things like a
trailing newline at the end of the response, which can easily be tokenized
as part of the the last value (since the normal implementations just split
on & and =). In contrast, I've never heard of any problems parsing JSON, nor
any encoding/decoding bugs related to working with JSON in other APIs
(something I *cannot* say about XML, which is way more finicky about
requiring its values to be properly encoded or escaped in CDATA etc.; I've
also seen way more inconsistency in support of XML parsers and their output
formats, whereas JSON always works exactly the same way and always "just
works").

So in conclusion, url-encoding has caused a lot of pain in OAuth 1.0, and
JSON is already widely supported (presumably including by most APIs that
you're building OAuth support to be able to access!), so I think it would
simplify the spec and increase ease/success of development to use JSON as a
request format. In fact, I think I'd like to push for it to be the
default/required format, given the positive attributes above. Does anyone
object, and if so, why?

Thanks, js

On Tue, Apr 20, 2010 at 8:10 AM, Eran Hammer-Lahav <eran@hueniverse.com>wrote:

> There seems to be support for this idea with some concerns about
> complexity. Someone needs to propose text for this including defining the
> request parameter and schema of the various reply formats.
>
> EHL
>
> > -----Original Message-----
> > From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
> > Sent: Monday, April 19, 2010 4:48 AM
> > To: Eran Hammer-Lahav
> > Cc: Dick Hardt; OAuth WG
> > Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
> >
> >
> > > We can also offer both and define a client request parameter (as long
> > > as the server is required to make at least one format available).
> >
> > +1 on this
> >
> > regards,
> > Torsten.
> >
> > >
> > > EHL
> > >
> > >> -----Original Message-----
> > >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> > >> Behalf Of Dick Hardt
> > >> Sent: Sunday, April 18, 2010 9:30 PM
> > >> To: OAuth WG
> > >> Subject: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
> > >>
> > >> The AS token endpoint response is encoded as application/x-www-form-
> > >> urlencoded
> > >>
> > >> While this reuses a well known and understood encoding standard, it
> > >> is uncommon for a client to receive a message encoded like this. Most
> > >> server responses are encoded as XML or JSON. Libraries are NOT
> > >> reedily available to parse application/x-www-form-urlencoded results
> > >> as this is something that is typically done in the web servers
> > >> framework. While parsing the name value pairs and URL un-encoding
> > >> them is not hard, many developers have been caught just splitting the
> > parameters and forgetting to URL decode the token.
> > >> Since the token is opaque and may contain characters that are
> > >> escaped, it is a difficult bug to detect.
> > >>
> > >> Potential options:
> > >>
> > >> 1) Do nothing, developers should read the specs and do the right
> thing.
> > >>
> > >> 2) Require that all parameters are URL safe so that there is no
> > >> encoding issue.
> > >>
> > >> 3) Return results as JSON, and recommend that parameters be URL safe.
> > >>
> > >> -- Dick
> > >> _______________________________________________
> > >> OAuth mailing list
> > >> OAuth@ietf.org
> > >> https://www.ietf.org/mailman/listinfo/oauth
> > > _______________________________________________
> > > OAuth mailing list
> > > OAuth@ietf.org
> > > https://www.ietf.org/mailman/listinfo/oauth
> > >
> >
> >
> >
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email