IETF Logo Mail Archive

[OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syntax comments

Julian Reschke <julian.reschke@gmx.de> Tue, 09 August 2011 12:06 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E83D21F8B04 for <oauth@ietfa.amsl.com>; Tue, 9 Aug 2011 05:06:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.501
X-Spam-Level:
X-Spam-Status: No, score=-104.501 tagged_above=-999 required=5 tests=[AWL=-1.902, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DeZrS9+Jke+P for <oauth@ietfa.amsl.com>; Tue, 9 Aug 2011 05:06:09 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 5B3B821F8AF9 for <oauth@ietf.org>; Tue, 9 Aug 2011 05:06:09 -0700 (PDT)
Received: (qmail invoked by alias); 09 Aug 2011 12:06:36 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp067) with SMTP; 09 Aug 2011 14:06:36 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX187auIBG5I7znlZtPYCm2o8ccFIZN4PR/sp0cR/aO ngyyg+QABKEtbM
Message-ID: <4E4122C9.8080602@gmx.de>
Date: Tue, 09 Aug 2011 14:06:33 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Subject: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syntax comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2011 12:06:10 -0000

Hi there,

below a few comments on dependencies to HTTPbis, and the actual header 
field syntax.

Best regards,

Julian

-- snip --

1.1.  Notational Conventions

    ...

    This document uses the Augmented Backus-Naur Form (ABNF) notation of
    [I-D.ietf-httpbis-p1-messaging], which is based upon the Augmented
    Backus-Naur Form (ABNF) notation of [RFC5234].  Additionally, the
    following rules are included from [RFC2617]: auth-param and realm;
    from [RFC3986]: URI-Reference; and from
    [I-D.ietf-httpbis-p1-messaging]: RWS and quoted-string.

auth-param and realm should come from I-D.ietf-httpbis-p7-auth 
(optimally from a version >= 16 which we should get out before the end 
of the month).

2.  Authenticated Requests

    Clients SHOULD make authenticated requests with a bearer token using
    the "Authorization" request header field defined by [RFC2617].

-> HTTPbis P7

2.1.  The Authorization Request Header Field

    The "Authorization" request header field is used by clients to make
    authenticated requests with bearer tokens.  The client uses the
    "Bearer" authentication scheme to transmit the access token in the
    request.

    For example:

    GET /resource HTTP/1.1
    Host: server.example.com
    Authorization: Bearer vF9dft4qmT

    The "Authorization" header field uses the framework defined by
    [RFC2617] as follows:

    credentials     = "Bearer" RWS access-token
    access-token    = 1*( quoted-char / <"> )

    quoted-char     = ALPHA / DIGIT /
                      "!" / "#" / "$" / "%" / "&" / "'" / "(" / ")" /
                      "*" / "+" / "-" / "." / "/" / ":" / "<" / "=" /
                      ">" / "?" / "@" / "[" / "]" / "^" / "_" / "`" /
                      "{" / "|" / "}" / "~" / "\" / "," / ";"

This is incompatible with the RFC2617 grammar which requires auth-params.

HTTPbis P7 will introduce an alternative syntax ("b64token"), but that 
is restricted to a single instance and thus not extensible.

I recommend to use auth-param syntax instead.


2.2.  Form-Encoded Body Parameter

    ...

    o  The entity-body follows the encoding requirements of the
       "application/x-www-form-urlencoded" content-type as defined by
       [W3C.REC-html401-19991224].

    o  The HTTP request entity-header includes the "Content-Type" header
       field set to "application/x-www-form-urlencoded".

What about parameters?

    o  The HTTP request method is one for which a body is permitted to be
       present in the request.  In particular, this means that the "GET"
       method MUST NOT be used.

GET permits a body; it's just not useful.

2.4.  The WWW-Authenticate Response Header Field

    If the protected resource request does not include authentication
    credentials or contains an invalid access token, the resource server
    MUST include the HTTP "WWW-Authenticate" response header field; it
    MAY include it in response to other conditions as well.  The
    "WWW-Authenticate" header field uses the framework defined by
    [RFC2617] as follows:

-> HTTPbis P7

    challenge       = "Bearer" [ RWS 1#param ]

-> please stick to the syntax defined in the authentication framework, 
so use "auth-param", and just define the allowed parameters separately.

    param           = realm / scope /
                      error / error-desc / error-uri /
                      auth-param

    scope           = "scope" "=" <"> scope-v *( SP scope-v ) <">
    scope-v         = 1*quoted-char

-> This seems to override the quoted-string syntax. Don't. Generic 
parsers *will* use the quoted-string syntax.

    quoted-char     = ALPHA / DIGIT /
                      "!" / "#" / "$" / "%" / "&" / "'" / "(" / ")" /
                      "*" / "+" / "-" / "." / "/" / ":" / "<" / "=" /
                      ">" / "?" / "@" / "[" / "]" / "^" / "_" / "`" /
                      "{" / "|" / "}" / "~" / "\" / "," / ";"

    error           = "error" "=" quoted-string
    error-desc      = "error_description" "=" quoted-string
    error-uri       = "error_uri" "=" <"> URI-reference <">

-> missing I18N considerations
-> weird syntax (why underscore?)
-> the generic syntax allows token in addition to quoted-string; it's
pointless to rule that out here


4.  IANA Considerations

-> If you have a dependency on HTTPbis then you should also add the
registration for the authentication scheme as defined in HTTPbis P7.

v2.23.0 | Report a Bug | By Email