Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 05 May 2010 18:09 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 85F853A68D7 for <oauth@core3.amsl.com>; Wed, 5 May 2010 11:09:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.51
X-Spam-Level:
X-Spam-Status: No, score=-2.51 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S4LMb6hhmMeA for <oauth@core3.amsl.com>; Wed, 5 May 2010 11:09:55 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 8DCDB3A6C54 for <oauth@ietf.org>; Wed, 5 May 2010 11:09:20 -0700 (PDT)
Received: (qmail 10334 invoked from network); 5 May 2010 18:09:06 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 5 May 2010 18:09:06 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Wed, 5 May 2010 11:09:01 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Evan Gilbert <uidude@google.com>
Date: Wed, 05 May 2010 11:09:11 -0700
Thread-Topic: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)
Thread-Index: AcrsdWC1YhFGzjiGTZW4rp5ReJromwACJOSA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723439323D0EAB@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <4BD8869A.2080403@lodderstedt.net> <s2zc334d54e1004281425x5e714eebwcd5a91af593a62ac@mail.gmail.com> <v2j68fba5c51004282044o3a5f96cfucb1157d3884d8cd2@mail.gmail.com> <4BD9E1E3.7060107@lodderstedt.net> <7C01E631FF4B654FA1E783F1C0265F8C4A3EF0B0@TK5EX14MBXC115.redmond.corp.microsoft.com> <z2yf5bedd151004291440g17693f8du9e19a649bef925e4@mail.gmail.com> <w2odaf5b9571004291509x8895a73k384a4b4ddb12b794@mail.gmail.com> <20100430105935.20255m8kdythy6sc@webmail.df.eu> <90C41DD21FB7C64BB94121FBBC2E723439323D0DB0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTilA40XmbIShf3m139IodJRCWUvAouyuHbWcgga7@mail.gmail.com>
In-Reply-To: <AANLkTilA40XmbIShf3m139IodJRCWUvAouyuHbWcgga7@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723439323D0EABP3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2010 18:09:57 -0000

Consensus is that JSON is the right format for token responses in the message body. As for the User Agent flow, that should remain form-encoded in the fragment (I think).

EHL

From: Evan Gilbert [mailto:uidude@google.com]
Sent: Wednesday, May 05, 2010 10:07 AM
To: Eran Hammer-Lahav
Cc: Torsten Lodderstedt; oauth@ietf.org
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)


On Wed, May 5, 2010 at 8:28 AM, Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote:
I'll add something to the draft and we'll discuss it. There is enough consensus on a single JSON response format.

Responses that are returned via a browser URL should be application/x-www-form-urlencoded. These parameters are standard to parse in any HTTP handling library and JSON only adds complexity and external library requirements.

I'm not positive we need to support JSON at all.

 But if we support both JSON and application/x-www-form-urlencoded, I think the pattern should be:
- application/x-www-form-urlencoded for requests/responses in a browser
- JSON otherwise (including requests)



EHL


> -----Original Message-----
> From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>] On Behalf
> Of Torsten Lodderstedt
> Sent: Friday, April 30, 2010 2:00 AM
> To: Brian Eaton
> Cc: oauth@ietf.org<mailto:oauth@ietf.org>
> Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
> (Proposal)
>
>
> Zitat von Brian Eaton <beaton@google.com<mailto:beaton@google.com>>:
>
> > On Thu, Apr 29, 2010 at 2:40 PM, Mike Moore <blowmage@gmail.com<mailto:blowmage@gmail.com>>
> wrote:
> >> On Thu, Apr 29, 2010 at 2:49 PM, Yaron Goland <yarong@microsoft.com<mailto:yarong@microsoft.com>>
> wrote:
> >>>
> >>> Can we please just have one format, not 3? The more choices we give
> >>> the more interoperability suffers.
> >
> > Yes.  The number of parsers needed to make a working system is
> > important.  The spec has too many already.
> >
> > I'd like to see authorization servers returning JSON or XML, since
> > that's what the resource servers are doing.
> >
> > ...and given a choice between JSON and XML, I'd pick JSON.
> >
>
> I agree. At Deutsche Telekom, we try to align our authorization APIs with the
> APIs provided by the resource servers. Authorization is "just" a small, but
> important, portion of the overall process and aligning it with the rest
> increases acceptance and decreases error rate.
>
> None of the APIs we provide uses form encoding, most of them use JSON,
> some XML.
> Based on that observation I would like to see at least JSON support in OAuth.
> So JSON as the only would be fine with me.
>
> My proposal is based on the observation that the WG did not come to a
> consensus about the one and only format.
>
> I have collected the following opinions from the thread:
>
> pro additional support for JSON and XML - Marius Scurtescu, John Jawed,
> Richard Barnes, Brian Eaton, Torsten Lodderstedt pro additional support for
> JSON - Dick Hardt (initiated the thread), Joseph Smarr still support
> application/x-www-form-urlencoded (unclear whether
> exclusively) - David Recordon, Gaurav Rastogi one format only (preference
> unclear) - Yaron Goland JSON as the only format (if forced to decide for a
> single format) - Brian Eaton, Torsten Lodderstedt JSON as the only format -
> James Manger, Robert Sayre application/x-www-form-urlencoded as the
> only format - Mike Moore JSON for responses as well - Marius Scurtescu
>
> Here are some representative comments from the thread:
>
> Joseph Smarr - "JSON is already widely supported (presumably including by
> most APIs that you're building OAuth support to be able to access!"
>
> David Recordon - "it's drastically more complex for environments (like
> embedded hardware) which doesn't support JSON."
>
> Paul C. Bryan - "I'm struggling to imagine hardware that on the one hand
> would support OAuth, but on the other would be incapable of supporting
> JSON..."
>
> Gaurav Rastogi - "There are enough number of small embedded software
> stack where JSON is not an option."
>
> So we have at least 9 votes pro JSON, but also 1 vote for application/x-www-
> form-urlencoded only.
>
> How shall we proceed? Can we come to a consensus?
>
> regards,
> Torsten.
>
> > Cheers,
> > Brian
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org<mailto:OAuth@ietf.org>
> > https://www.ietf.org/mailman/listinfo/oauth
> >
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth