Re: [OAUTH-WG] Should registration request be form-urlencoded or JSON?

"Richer, Justin P." <> Mon, 04 February 2013 21:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 570FA21F8B0B for <>; Mon, 4 Feb 2013 13:34:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.562
X-Spam-Status: No, score=-6.562 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UtQ6ZaH9wCeV for <>; Mon, 4 Feb 2013 13:34:05 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 87F8921F8AF2 for <>; Mon, 4 Feb 2013 13:34:05 -0800 (PST)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id 0201B5311132; Mon, 4 Feb 2013 16:34:05 -0500 (EST)
Received: from IMCCAS02.MITRE.ORG ( []) by (Postfix) with ESMTP id E0D505311130; Mon, 4 Feb 2013 16:34:04 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([]) by IMCCAS02.MITRE.ORG ([]) with mapi id 14.02.0318.004; Mon, 4 Feb 2013 16:34:04 -0500
From: "Richer, Justin P." <>
To: Mike Jones <>
Thread-Topic: [OAUTH-WG] Should registration request be form-urlencoded or JSON?
Thread-Index: Ac4DHiIcTE3oals3S1ip2f/AR/tbdwAKyDGA
Date: Mon, 04 Feb 2013 21:34:03 +0000
Message-ID: <B33BFB58CCC8BE4998958016839DE27E068866A0@IMCMBX01.MITRE.ORG>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_B33BFB58CCC8BE4998958016839DE27E068866A0IMCMBX01MITREOR_"
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [OAUTH-WG] Should registration request be form-urlencoded or JSON?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Feb 2013 21:34:10 -0000

For history, the original UMA registration spec from whence this all grew was JSON-in and JSON-out. It's feeling like this is coming back around.

 - more REST-ish (particularly if we use real REST style like URL templates and verbs)
 - consistent data structures
 - possible use of rich client data structures like lists and sub-objects

 - unlike the rest of OAuth, which is form-in, JSON-out
 - major change from existing code
 - possible overhead for existing OAuth libraries which haven't had to deal with JSON from clients

If we're going to do this, we should dive in with both feet and define a full RESTful API with all appropriate verbs and CRUD ops, and define it at the OAuth DynReg level as well.

-- Justin

On Feb 4, 2013, at 4:25 PM, Mike Jones <<>>

Now that we're returning the registration state as JSON, it's pretty inconsistent for the registration request to instead be form-url-encoded. The case can be made for switching to JSON now - especially in light of possibly wanting to convey some structured information at registration time.
I realize that this is a big change, but if we're going to do it, we should do it now.
As a precedent, apparently SCIM requests are JSON, rather than form-url-encoded.

                                                                -- Mike

OAuth mailing list<>