Re: [OAUTH-WG] Proposed resolution for issue 26
Brian Campbell <bcampbell@pingidentity.com> Thu, 29 September 2011 13:54 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72C421F8D66 for <oauth@ietfa.amsl.com>; Thu, 29 Sep 2011 06:54:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.906
X-Spam-Level:
X-Spam-Status: No, score=-5.906 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tUS3vZvWCQxz for <oauth@ietfa.amsl.com>; Thu, 29 Sep 2011 06:54:22 -0700 (PDT)
Received: from na3sys009aog117.obsmtp.com (na3sys009aog117.obsmtp.com [74.125.149.242]) by ietfa.amsl.com (Postfix) with ESMTP id 9AAA521F8D68 for <oauth@ietf.org>; Thu, 29 Sep 2011 06:54:20 -0700 (PDT)
Received: from mail-qy0-f169.google.com ([209.85.216.169]) (using TLSv1) by na3sys009aob117.postini.com ([74.125.148.12]) with SMTP ID DSNKToR5MSc0rTXX+hyLF6IeIl8xKe79tfWl@postini.com; Thu, 29 Sep 2011 06:57:13 PDT
Received: by mail-qy0-f169.google.com with SMTP id 38so4188856qyl.14 for <oauth@ietf.org>; Thu, 29 Sep 2011 06:57:05 -0700 (PDT)
Received: by 10.224.212.8 with SMTP id gq8mr7794060qab.377.1317304624102; Thu, 29 Sep 2011 06:57:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.224.19.196 with HTTP; Thu, 29 Sep 2011 06:56:33 -0700 (PDT)
In-Reply-To: <CAGdjJpKTAAFq_YGXWOdhT7+Sxyaay5gbjx_ktha8Z6EYaxvtYA@mail.gmail.com>
References: <4E1F6AAD24975D4BA5B16804296739435C1FC6A1@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAC4RtVDOPaMif55L6JAU4C8aERHgt6M0ntet7GKwgQJbUQKMZw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739435C2148B5@TK5EX14MBXC285.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E1128FF826E5@WSMSG3153V.srv.dir.telstra.com> <CAC4RtVAj7UG-7kgo3CU5Q6eeJFXi2VciQHUoGL5WJ8iq5cmykg@mail.gmail.com> <CAGdjJpKTAAFq_YGXWOdhT7+Sxyaay5gbjx_ktha8Z6EYaxvtYA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 29 Sep 2011 07:56:33 -0600
Message-ID: <CA+k3eCSiowbODXVis-HTZ+hTvwsA-b_XjLtKiL2Gy36hH_=z5w@mail.gmail.com>
To: Marius Scurtescu <mscurtescu@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Barry Leiba <barryleiba@computer.org>, oauth@ietf.org
Subject: Re: [OAUTH-WG] Proposed resolution for issue 26
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2011 13:54:25 -0000
+1 to "I think James made it pretty clear that we have a problem and that we have to solve it." On Wed, Sep 28, 2011 at 10:36 AM, Marius Scurtescu <mscurtescu@google.com> wrote: > On Wed, Sep 28, 2011 at 6:40 AM, Barry Leiba <barryleiba@computer.org> > wrote: >> >> I'd like to see more participation in this thread, besides just from >> Mike and James. What do others think? > > I think James made it pretty clear that we have a problem and that we have > to solve it. > One solution would be for the core spec to limit the characters that can be > used in a scope, such that scopes are HTTP header safe. I think this would > be pretty limiting and fragile. > Another solution would be for the bearer spec to specify what escaping > should be used. RFC 5987 seems like the only good choice. > Marius >> >> Barry, as chair >> >> On Mon, Sep 26, 2011 at 3:05 PM, Mike Jones <Michael.Jones@microsoft.com> >> wrote: >> > While you take the viewpoint that the bearer spec is restricting scope >> > values, in fact, the spec intentionally allows all characters that can >> > be >> > safely communicated in an HTTP response header parameter to be >> > used. About whether those characters employ an encoding >> > methodology to sometimes represent other characters or abstractions, >> > I believe that Barry's proposed wording hits the nail on the head: >> > >> > Interpretation of scope strings requires semantic agreement on the >> > meaning of the scope strings between the parties participating the >> > OAuth flow. Should an encoding be used for scope strings in a >> > particular deployment context, participants have to have agreed >> > upon that encoding, just as they agree on other OAuth configuration >> > parameters. >> > >> > Best wishes, >> > -- Mike >> >> >> On Mon, Sep 26, 2011 at 8:20 PM, Manger, James H >> <James.H.Manger@team.telstra.com> wrote: >> >> While you take the viewpoint that the bearer spec is restricting scope >> >> values, in fact, >> >> the spec intentionally allows all characters that can be safely >> >> communicated in an HTTP >> >> response header parameter to be used. >> > >> > But "all characters that can be safely communicated in an HTTP response >> > header parameter" is only a subset of the characters that OAuth Core >> > allows in a scope value (any Unicode string excluding space). I don't >> > understand how this isn't the Bearer spec restricting scope values. >> > >> > >> > P.S. You recognize here that non-ASCII chars cannot be safely >> > communicated in an HTTP response header parameter. This is why >> > Julian was concerned about the spec saying the error_description holds >> > raw UTF-8. >> > [Actually the ABNF for error_description restricts it to 93 ASCII chars >> > so >> > when the text says it is UTF-8 encoded it is raising the potential >> > problem >> > of arbitrary UTF-8 in HTTP headers unnecessarily.] >> > >> > -- >> > James Manger >> >> >> On Tue, Sep 27, 2011 at 11:50 PM, Manger, James H >> <James.H.Manger@team.telstra.com> wrote: >> > I'll have another go trying to explain the problem I see with the scope >> > parameter in the Bearer spec. >> > >> > Consider a French social network that decides to offer an API using >> > OAuth2. >> > It chooses 3 scope values for parts of the API related to family, >> > friends, and >> > business colleagues: >> > * "famille" >> > * "ami" >> > * "collègues" >> > Let's focus on the last scope. >> > >> > The site describes the scope and its semantics in HTML developer docs. >> > That works. >> > <dt>collègues</dt><dd>...</dd> >> > >> > Client apps construct authorization URIs to which users are sent. >> > That works. >> > https://example.fr/authz?scope=coll%C3%A8gues... >> > >> > The authorization server issues credentials in a JSON token response. >> > That works. >> > { "access_token":"SlAV32hkKG", "scope":"coll\u00E8gues", ...} >> > >> > The authorization server also supports implicit grants. That works. >> > Location: https://app.client.org/callback#scope=coll%C3%A8gues... >> > >> > Client apps request protected resources (without needing to mention >> > scope). >> > That works. >> > Authorization: Bearer vF9dft4qmT >> > >> > A protected resource server responds with a 401 error when a bearer >> > token >> > is wrong. They don't know what to put in the HTTP response header scope >> > parameter: "collègues" does not fit. >> > >> > One server knows HTTP headers have historically used ISO-8859-1. >> > WWW-Authenticate: Bearer scope="coll<E8>gues", >> > error_description="opps"... >> > >> > Another server sees that error_description is specified as UTF-8 so uses >> > that. >> > WWW-Authenticate: Bearer scope="coll<C3><A8>gues", >> > error_description="opps"... >> > >> > A third server reasons that the value will be copied to an authz URI so >> > uses >> > URI-escaping. >> > WWW-Authenticate: Bearer scope="coll%C3%A8gues", >> > error_description="opps"... >> > >> > A fourth server thinks JSON-escaping looks most like HTTP's >> > quoted-string >> > quoting (both use '\'). >> > WWW-Authenticate: Bearer scope="coll\u00E8gues", >> > error_description="opps"... >> > >> > A fifth uses RFC 5987 "Character Set and Language Encoding for HTTP >> > Header >> > Field Parameters": >> > WWW-Authenticate: Bearer scope*=UTF-8''coll%C3%A8gues, >> > error_description="opps"... >> > >> > It is a total interoperability failure for the client apps. The >> > paragraph in the Bearer >> > spec saying the encoding of the scope values is up to each "particular >> > deployment context" looks like a cruel joke to the app and library >> > developers. >> > >> > -- >> > James Manger >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Proposed resolution for issue 26 Mike Jones
- Re: [OAUTH-WG] Proposed resolution for issue 26 Barry Leiba
- Re: [OAUTH-WG] Proposed resolution for issue 26 Manger, James H
- Re: [OAUTH-WG] Proposed resolution for issue 26 Mike Jones
- Re: [OAUTH-WG] Proposed resolution for issue 26 Mike Jones
- Re: [OAUTH-WG] Proposed resolution for issue 26 Manger, James H
- Re: [OAUTH-WG] Proposed resolution for issue 26 Manger, James H
- Re: [OAUTH-WG] Proposed resolution for issue 26 Barry Leiba
- Re: [OAUTH-WG] Proposed resolution for issue 26 Julian Reschke
- Re: [OAUTH-WG] Proposed resolution for issue 26 Mike Jones
- Re: [OAUTH-WG] Proposed resolution for issue 26 Marius Scurtescu
- Re: [OAUTH-WG] Proposed resolution for issue 26 Brian Campbell
- Re: [OAUTH-WG] Proposed resolution for issue 26 Mark Lentczner
- Re: [OAUTH-WG] Proposed resolution for issue 26 Julian Reschke
- Re: [OAUTH-WG] Proposed resolution for issue 26 Justin Richer
- Re: [OAUTH-WG] Proposed resolution for issue 26 Julian Reschke