[OAUTH-WG] application/x-www-form-urlencoded vs JSON

Dick Hardt <dick.hardt@gmail.com> Mon, 19 April 2010 04:30 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 7325A3A6A7F for <oauth@core3.amsl.com>; Sun, 18 Apr 2010 21:30:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.322
X-Spam-Status: No, score=-2.322 tagged_above=-999 required=5 tests=[AWL=0.277, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id CFZKD-LuMZNg for <oauth@core3.amsl.com>; Sun, 18 Apr 2010 21:30:28 -0700 (PDT)
Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com []) by core3.amsl.com (Postfix) with ESMTP id 154F53A6805 for <oauth@ietf.org>; Sun, 18 Apr 2010 21:30:27 -0700 (PDT)
Received: by yxe12 with SMTP id 12so2571235yxe.32 for <oauth@ietf.org>; Sun, 18 Apr 2010 21:30:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:content-type :content-transfer-encoding:subject:date:message-id:to:mime-version :x-mailer; bh=7xvBZQTeBnxaxAn3iSz1XIPUFM9NCpjtf3l+SYTH17c=; b=t0Jw6X1NSz0FwcFx5gMlyfK7VssPS0rg3MiaIo+Z1r2sBXoThg5QA+1JYXe6oqqpwd NiWglCWevbfJHUKTvOJ+Fj527lQk2y593MIKFqj5GjO09w3AABqwo8BBg3rVe/uA+MZQ SwpXvW31ARDK3Unr9e3QRajcLjPeBesczM+is=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; b=Z8pWHVUsxSdhowtwbfcWTsduYZ8p7oHYvdYlGaKzcUVyk4IXZW22u7N0CClGRP1PTS Q1AckbV4O7xd2vLW7IbhLa5RZq/vVL/gX5h5S/QhmC8O+3ULjiejyxUZo74f463VgiC6 LECqjmPciD1Rn2+Ccn9a4jkB/bcf41Ma1Eyyg=
Received: by with SMTP id r4mr2882332agj.107.1271651416278; Sun, 18 Apr 2010 21:30:16 -0700 (PDT)
Received: from [] (c-67-180-195-167.hsd1.ca.comcast.net []) by mx.google.com with ESMTPS id 20sm1480747ywh.48.2010. (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 18 Apr 2010 21:30:15 -0700 (PDT)
From: Dick Hardt <dick.hardt@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 18 Apr 2010 21:30:13 -0700
Message-Id: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com>
To: OAuth WG <oauth@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1078)
X-Mailer: Apple Mail (2.1078)
Subject: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 04:30:30 -0000

The AS token endpoint response is encoded as application/x-www-form-urlencoded

While this reuses a well known and understood encoding standard, it is uncommon for a client to receive a message encoded like this. Most server responses are encoded as XML or JSON. Libraries are NOT reedily available to parse application/x-www-form-urlencoded results as this is something that is typically done in the web servers framework. While parsing the name value pairs and URL un-encoding them is not hard, many developers have been caught just splitting the parameters and forgetting to URL decode the token. Since the token is opaque and may contain characters that are escaped, it is a difficult bug to detect.

Potential options:

1) Do nothing, developers should read the specs and do the right thing.

2) Require that all parameters are URL safe so that there is no encoding issue.

3) Return results as JSON, and recommend that parameters be URL safe.

-- Dick