Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer
Brian Campbell <bcampbell@pingidentity.com> Sun, 11 March 2012 13:50 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 038D721F86A7 for <oauth@ietfa.amsl.com>; Sun, 11 Mar 2012 06:50:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.857
X-Spam-Level:
X-Spam-Status: No, score=-3.857 tagged_above=-999 required=5 tests=[AWL=-1.881, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3PdLYznQtlyP for <oauth@ietfa.amsl.com>; Sun, 11 Mar 2012 06:50:13 -0700 (PDT)
Received: from psmtp.com (na3sys009aog132.obsmtp.com [74.125.149.250]) by ietfa.amsl.com (Postfix) with ESMTP id A42FB21F8697 for <oauth@ietf.org>; Sun, 11 Mar 2012 06:50:12 -0700 (PDT)
Received: from mail-vx0-f180.google.com ([209.85.220.180]) (using TLSv1) by na3sys009aob132.postini.com ([74.125.148.12]) with SMTP ID DSNKT1ytk0JRwC4QCoQ1A3FZK0bboFGPZ9t5@postini.com; Sun, 11 Mar 2012 06:50:12 PDT
Received: by mail-vx0-f180.google.com with SMTP id fl10so4267714vcb.11 for <oauth@ietf.org>; Sun, 11 Mar 2012 06:50:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=cDOxrpFDYHZ8QVZuTiQ0Fge844OWTtaslrtJVTWF6xk=; b=EurFamer/nwjM1ZErD6KjiBqSJGuWBCm0Ll87QR9k7vUy7tlJLCKakFDheho8EhW9Z hkcSOXQyvHxk0lJ9nB6JAyEf62E9wo0IkEJGaOfC7cEeUzBDL0HPG/aBjiBXAoVCPzOV l11WEpYqXNes3F7d0xZns3OSp1+z8VkLUUJ0qvGjR6fTHYqUpw+eyEn1JvEMkeqUQ2ol c0QFI3qmKbDFSGYwdTV6dGR/DGvSOtZ5InLcs8sZByKL+ReQ5HN8hwtKd15CzwfGfQ+8 ZwXVCQhB+7raYwWcacsDYC6r3UKW1euOENhq/nbpMtOQ4LLAtMBqiIyEYHzGDYxW74sg H2Ew==
MIME-Version: 1.0
Received: by 10.52.93.18 with SMTP id cq18mr12146936vdb.40.1331473811766; Sun, 11 Mar 2012 06:50:11 -0700 (PDT)
Received: by 10.52.171.172 with HTTP; Sun, 11 Mar 2012 06:50:11 -0700 (PDT)
Received: by 10.52.171.172 with HTTP; Sun, 11 Mar 2012 06:50:11 -0700 (PDT)
In-Reply-To: <6C7AC84B-F4F3-4069-9144-65B193D0F882@ve7jtb.com>
References: <4E1F6AAD24975D4BA5B168042967394366402261@TK5EX14MBXC284.redmond.corp.microsoft.com> <6C7AC84B-F4F3-4069-9144-65B193D0F882@ve7jtb.com>
Date: Sun, 11 Mar 2012 07:50:11 -0600
Message-ID: <CA+k3eCSoOumeULRYynRDrQFksf+h7iczhMqp33-GUDvGL15tAQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="20cf3071c6aa93ff1a04baf7e76e"
X-Gm-Message-State: ALoCoQnqEFfxBveM/PQU3sjH7Zi8XMJEzxsMitiAKwD5leggCNpGM2G9U8HiyjBsjwU8L7vkwLTH
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Mar 2012 13:50:15 -0000
+1 On Mar 11, 2012 7:08 AM, "John Bradley" <ve7jtb@ve7jtb.com> wrote: > +1 > > Sent from my iPhone > > On 2012-03-10, at 12:49 PM, Mike Jones <Michael.Jones@microsoft.com> > wrote: > > I plan to make the change to the example access token value to > mF_9.B5f-4.1JqM before Monday’s submission deadline, per the requests for > b64token syntax clarification. I’m also considering adding an access token > response example, pre the requests in this thread. I would propose adding > the following new text for this in a new Section 4 (before the current > Security Considerations). This is largely parallel to what is done in > Section 5.1 of the MAC spec.**** > > ** ** > > *4. Example Access Token Response* > > ** ** > > Typically a bearer token is returned to the client as part of an OAuth 2.0 > [I-D.ietf-oauth-v2] access token response. An example of such as response > is:**** > > ** ** > > HTTP/1.1 200 OK**** > > Content-Type: application/json;charset=UTF-8**** > > Cache-Control: no-store**** > > Pragma: no-cache**** > > ** ** > > {**** > > "access_token":"mF_9.B5f-4.1JqM",**** > > "token_type":"Bearer",**** > > "expires_in":3600,**** > > "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"**** > > }**** > > ** ** > > Please send either +1s or objections to this text by mid-day Monday. > Unless I receive several +1s, to be conservative at this point, I will not > be including it in Monday’s draft.**** > > ** ** > > -- Mike**** > > ** ** > > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf > Of *Paul Madsen > *Sent:* Wednesday, March 07, 2012 1:34 PM > *To:* Brian Campbell > *Cc:* oauth > *Subject:* Re: [OAUTH-WG] question about the b64token syntax in > draft-ietf-oauth-v2-bearer**** > > ** ** > > +1 > > On 3/7/12 4:08 PM, Brian Campbell wrote: **** > > Yeah, it is case insensitive. I just went with the upper case B**** > > because that's how it was written in §5.1.1 of**** > > draft-ietf-oauth-v2-bearer-17* which is where I guess it's actually**** > > defined. But I see draft-ietf-oauth-v2-23 uses a lower case b**.**** > > Either one would be fine.**** > > ** ** > > I agree that an example response from the token endpoint would be**** > > worthwhile. Something like the following might help tie together with**** > > the Authorization header example (proposed earlier). It could maybe be**** > > worked in near the top of §2?**** > > ** ** > > HTTP/1.1 200 OK**** > > Content-Type: application/json;charset=UTF-8**** > > Cache-Control: no-store**** > > Pragma: no-cache**** > > ** ** > > {**** > > "access_token":"vF_9.5dCf-t4.qbcmT_k1b",**** > > "token_type":"example",**** > > "expires_in":3600,**** > > "refresh_token":"stGzv3xOdkF0X35Qp2TlKWIA",**** > > }**** > > ** ** > > It'd probably make sense to change the examples in the body §2.2******* > > and query §2.3**** to use the same access token value too.**** > > ** ** > > ** ** > > * http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-5.1.1**** > > ** http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-7.1**** > > *** http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.2**** > > **** http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.3**** > > ** ** > > ** ** > > On Wed, Mar 7, 2012 at 12:00 PM, Justin Richer <jricher@mitre.org> <jricher@mitre.org> wrote:**** > > Makes sense to me, except that I think the token_type value is typically**** > > lowercase "bearer", though it's defined to be case insensitive in**** > > Oauth-v2-23 section 5.1. Come to think of it, I'm not sure that the value of**** > > this field for the Bearer token type ever got defined anywhere. Section 7.1**** > > references the bearer spec as defining the value of the "token_type"**** > > parameter, and passes its example as if by reference. Would be worthwhile**** > > giving an example of a token endpoint response, such as what's found in**** > > OAuth-v2-23 section 5.1.**** > > ** ** > > -- Justin**** > > ** ** > > ** ** > > On 03/07/2012 12:16 PM, Brian Campbell wrote:**** > > ** ** > > I'd like to propose the following changes and additions, derived**** > > largely from Bill and James suggestions, to**** > > draft-ietf-oauth-v2-bearer-17. These changes have no normative impact**** > > and only aim to add additional clarity and explanation the workings**** > > and implications of the current spec. I'm definitely open to changes**** > > or improvements in the wording here (not my strong suit by any means)**** > > but I think it's important that these general ideas be conveyed in the**** > > draft.**** > > ** ** > > ** ** > > ==> Insert the following text at the beginning of §2:**** > > ** ** > > To make a protected resource request, the client must be in possession**** > > of a valid bearer token. Typically a bearer token is returned to the**** > > client as part of an access token response as defined in OAuth 2.0**** > > [I-D.ietf-oauth-v2]. When the "token_type" parameter of the access**** > > token response is "Bearer", the string value of the "access_token"**** > > parameter becomes the bearer access token used to make protected**** > > resource requests.**** > > ** ** > > ==> Change the value of the token in the Authorization header example to**** > > this:**** > > ** ** > > Authorization: Bearer vF_9.5dCf-t4.qbcmT_k1b**** > > ** ** > > ==> Insert the following text before the last paragraph of §2.1:**** > > ** ** > > Note that the name b64token does not imply base64 encoding but rather**** > > is the name for an ABNF syntax definition from HTTP/1.1, Part 7**** > > [I-D.ietf-httpbis-p7-auth]. Because of its use, the "access_token"**** > > string value from an access token response MUST match the b64token**** > > ABNF so it can be used with the Bearer HTTP scheme.**** > > ** ** > > ** ** > > Thanks,**** > > Brian**** > > ** ** > > ** ** > > ** ** > > ** ** > > On Tue, Mar 6, 2012 at 11:45 AM, William Mills<wmills@yahoo-inc.com> <wmills@yahoo-inc.com>**** > > wrote:**** > > ** ** > > Yeah, something as simple as, "Note that the name 'b64token' does not**** > > imply**** > > base64 encoding, see the definition in [[INSERT REFERENCE HERE]]." would**** > > do**** > > it.**** > > ** ** > > -bill**** > > ** ** > > ________________________________**** > > From: Brian Campbell<bcampbell@pingidentity.com> <bcampbell@pingidentity.com>**** > > To: Mike Jones<Michael.Jones@microsoft.com> <Michael.Jones@microsoft.com>**** > > Cc: oauth<oauth@ietf.org> <oauth@ietf.org>**** > > Sent: Tuesday, March 6, 2012 8:23 AM**** > > ** ** > > Subject: Re: [OAUTH-WG] question about the b64token syntax in**** > > draft-ietf-oauth-v2-bearer**** > > ** ** > > Thanks Mike, I think changing the example would be helpful.**** > > ** ** > > However I think that including some text along the lines of what James**** > > suggested would also be very valuable. I agree that the connection**** > > between OAuth and Bearer could and should be made more explicit. And**** > > that the implications of the b64token syntax, particularly on what AS**** > > can use to construct ATs, could/should be made more clear.**** > > ** ** > > I can propose some specific text (building on James') if others in the WG**** > > agree?**** > > ** ** > > ** ** > > On Mon, Mar 5, 2012 at 5:32 PM, Mike Jones<Michael.Jones@microsoft.com> <Michael.Jones@microsoft.com>**** > > wrote:**** > > ** ** > > I'm fine with changing the example to make it clearer that b64token**** > > allows**** > > a wider range of characters than just those legal for base64 and**** > > base64url**** > > encodings of data values.**** > > ** ** > > I'll add it to my to-do list for any additional edits for the Bearer**** > > spec.**** > > ** ** > > -- Mike**** > > ** ** > > -----Original Message-----**** > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] On Behalf**** > > Of**** > > Manger, James H**** > > Sent: Monday, March 05, 2012 3:33 PM**** > > To: Brian Campbell; oauth**** > > Subject: Re: [OAUTH-WG] question about the b64token syntax in**** > > draft-ietf-oauth-v2-bearer**** > > ** ** > > Brian,**** > > ** ** > > On casual reading of "The OAuth 2.0 Authorization Protocol: Bearer**** > > Tokens"* I've encountered several people (including myself) who have**** > > made the assumption that the name b64token implies that some kind of**** > > base64 encoding/decoding on the access token is taking place between**** > > the client and RS.**** > > ** ** > > Digging a bit deeper in to "HTTP/1.1, part 7: Authentication"**,**** > > however, I see that b64token is just an ABNF syntax definition**** > > allowing for characters typically used in base64, base64url, etc.. So**** > > the b64token doesn't define any encoding or decoding but rather just**** > > defines what characters can be used in the part of the Authorization**** > > header that will contain the access token.**** > > ** ** > > Do I read this correctly?**** > > ** ** > > Yes.**** > > ** ** > > If so, I feel like some additional clarifying text in the Bearer**** > > Tokens draft might help avoid what is (based on my small sample) a**** > > common point of misunderstanding.**** > > ** ** > > Changing the example bearer token should be a simple way to avoid some**** > > confusion by showing that it does not have to be base64 encoding. How**** > > about**** > > changing:**** > > Authorization: Bearer vF9dft4qmT**** > > to**** > > Authorization: Bearer vF9.dft4.qmT**** > > ** ** > > The Bearer spec has lots of (unnecessary) text about OAuth, but doesn't**** > > quite manage to be precise about how OAuth and Bearer connect. It could**** > > explicitly state that the string value of the "access_token" member of**** > > an**** > > access token response is the bearer token. The "access_token" string**** > > value**** > > (after unescaping any JSON-escapes) MUST match the b64token ABNF so it**** > > can**** > > be used with the Bearer HTTP scheme. Such text could be put in §5.1.1**** > > where**** > > the "Bearer" OAuth access token type is defined.**** > > ** ** > > ** ** > > Also, does the use of b64token implicitly limit the allowed characters**** > > that an AS can use to construct a bearer access token?**** > > ** ** > > Yes.**** > > ** ** > > ** ** > > * http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.1**** > > ****** > > http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-18#section-2.1**** > > ** ** > > --**** > > James Manger**** > > _______________________________________________**** > > OAuth mailing list**** > > OAuth@ietf.org**** > > https://www.ietf.org/mailman/listinfo/oauth**** > > ** ** > > ** ** > > _______________________________________________**** > > OAuth mailing list**** > > OAuth@ietf.org**** > > https://www.ietf.org/mailman/listinfo/oauth**** > > ** ** > > ** ** > > _______________________________________________**** > > OAuth mailing list**** > > OAuth@ietf.org**** > > https://www.ietf.org/mailman/listinfo/oauth**** > > ** ** > > ** ** > > _______________________________________________**** > > OAuth mailing list**** > > OAuth@ietf.org**** > > https://www.ietf.org/mailman/listinfo/oauth**** > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] question about the b64token syntax in … Brian Campbell
- Re: [OAUTH-WG] question about the b64token syntax… Manger, James H
- Re: [OAUTH-WG] question about the b64token syntax… Mike Jones
- Re: [OAUTH-WG] question about the b64token syntax… Brian Campbell
- Re: [OAUTH-WG] question about the b64token syntax… Paul Madsen
- Re: [OAUTH-WG] question about the b64token syntax… Justin Richer
- Re: [OAUTH-WG] question about the b64token syntax… William Mills
- Re: [OAUTH-WG] question about the b64token syntax… Brian Campbell
- Re: [OAUTH-WG] question about the b64token syntax… William Mills
- Re: [OAUTH-WG] question about the b64token syntax… Justin Richer
- Re: [OAUTH-WG] question about the b64token syntax… Brian Campbell
- Re: [OAUTH-WG] question about the b64token syntax… Paul Madsen
- Re: [OAUTH-WG] question about the b64token syntax… Mike Jones
- Re: [OAUTH-WG] question about the b64token syntax… Manger, James H
- Re: [OAUTH-WG] question about the b64token syntax… Paul Madsen
- Re: [OAUTH-WG] question about the b64token syntax… John Bradley
- Re: [OAUTH-WG] question about the b64token syntax… Brian Campbell
- Re: [OAUTH-WG] question about the b64token syntax… Richer, Justin P.
- Re: [OAUTH-WG] question about the b64token syntax… George Fletcher