IETF Logo Mail Archive

Re: [OAUTH-WG] Partially standardized format for access tokens?

John Kemp <john@jkemp.net> Tue, 08 June 2010 10:45 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C6E528C14B for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 03:45:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.335
X-Spam-Level:
X-Spam-Status: No, score=0.335 tagged_above=-999 required=5 tests=[BAYES_50=0.001, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkvqS9mDW4Np for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 03:45:22 -0700 (PDT)
Received: from cpoproxy1-pub.bluehost.com (cpoproxy1-pub.bluehost.com [69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id 4F15E28C10C for <oauth@ietf.org>; Tue, 8 Jun 2010 03:45:22 -0700 (PDT)
Received: (qmail 12856 invoked by uid 0); 8 Jun 2010 10:45:23 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy1.bluehost.com with SMTP; 8 Jun 2010 10:45:23 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-Identified-User; b=WO+pZf1vAMBagWrJoEpdlalCm74ORa6f1Fa2tdifimN/zq8l9uHB7TQYupt4IEg3brZddE7stgvbMBGS2yNCIYBixa6xqvM6WrjRt12shV6oATKLWjhF2p6ty3rQ04UY;
Received: from cpe-69-205-56-47.nycap.res.rr.com ([69.205.56.47] helo=[192.168.1.103]) by box320.bluehost.com with esmtpa (Exim 4.69) (envelope-from <john@jkemp.net>) id 1OLwJ8-0008Ph-WF; Tue, 08 Jun 2010 04:45:23 -0600
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11263EBF638@WSMSG3153V.srv.dir.telstra.com>
Date: Tue, 08 Jun 2010 06:45:20 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <50227268-61DB-401E-A2AA-F8A984C1B6B3@jkemp.net>
References: <AANLkTinQTV9JJPiftquRbvdqAOHxUXk7QQKCMrmQ4LLK@mail.gmail.com> <B549E6C4-A24D-4032-8A26-89ED58EBAA34@facebook.com> <4C090B6C.9030707@aol.com> <B6D1E6FF-D65F-4FD6-B148-C17550421FC9@facebook.com> <AANLkTilj0xG6SjHrzkd9Ca-N67J7IlsTNAOkyFdjQ62I@mail.gmail.com> <ED86A2AA-56D5-4DC6-B896-48A850EED3B2@facebook.com> <4C0930B2.80802@aol.com> <AANLkTimupEDpBUjg4iwwhPQ41ZKcryMcpVjJumXNIjP0@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E11263E5DA7C@WSMSG3153V.srv.dir.telstra.com> <383A9188-1AA6-49FE-95FC-5D6316BD18CD@jkemp.net> <255B9BB34FB7D647A506DC292726F6E11263EBF638@WSMSG3153V.srv.dir.telstra.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
X-Mailer: Apple Mail (2.1078)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 69.205.56.47 authed with john+jkemp.net}
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Partially standardized format for access tokens?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 10:45:23 -0000

On Jun 7, 2010, at 8:25 PM, Manger, James H wrote:

> John,
> 
>>> access_token=saml.fhHFhgf6575fhgFGrytr
> 
>> What is the advantage of doing it this way over having a separate field?
> 
> Client simplicity (code and mental model).

I think the difference in simplicity between one parameter and two is not such that it requires munging the two together.

The token_string and the token_format are two different parts of the token.

- johnk

> 
>> What if the format is a URI?
> 
> That is a choice between the AS and PR that is irrelevant to the client app -- so why should the client app have to worry about it (and any extra escaping it entails).
> 
> 
>>> There can be an IANA registry for prefixes if that is helpful.
> 
>> Personally, I'd like to see this solution be a bit more distributed, and a registry isn't.
> 
> I hope there aren't so many common, shared formats that a distributed solution is necessary. But you can make the prefix a domain name, or a base64url-encoded URI, or a hash of a URI etc if you really want it distributed.
> 
> 
> Andrew Arnott said:
>> But token_format is not the idea I think.  It's more like token_origin.
> 
> I hope we don't need a 3rd "opaque string" for the client app to transfer from the AS to PR.
> 
> --
> James Manger
>

v2.23.0 | Report a Bug | By Email