IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments

"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 13 October 2011 00:38 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9CE21F8ACA for <oauth@ietfa.amsl.com>; Wed, 12 Oct 2011 17:38:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.029
X-Spam-Level:
X-Spam-Status: No, score=-1.029 tagged_above=-999 required=5 tests=[AWL=-0.127, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id raOcXRvJdpV0 for <oauth@ietfa.amsl.com>; Wed, 12 Oct 2011 17:38:23 -0700 (PDT)
Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) by ietfa.amsl.com (Postfix) with ESMTP id 874CB21F8A71 for <oauth@ietf.org>; Wed, 12 Oct 2011 17:38:22 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.69,337,1315144800"; d="scan'208";a="48771770"
Received: from unknown (HELO ipccvi.tcif.telstra.com.au) ([10.97.217.208]) by ipobvi.tcif.telstra.com.au with ESMTP; 13 Oct 2011 11:38:19 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,6497"; a="39036365"
Received: from wsmsg3757.srv.dir.telstra.com ([172.49.40.85]) by ipccvi.tcif.telstra.com.au with ESMTP; 13 Oct 2011 11:38:19 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3757.srv.dir.telstra.com ([172.49.40.85]) with mapi; Thu, 13 Oct 2011 11:38:19 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Thu, 13 Oct 2011 11:38:17 +1100
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments
Thread-Index: AQHMTaLJnWCrafb4ZE+NLLSMK5FwXJU3E+0AgAAXvQCAQRHaAIAAgkWAgACa04D//+FBcIAAeymA//+/OLCAAHwIgP//izlwAA7+tgAADp6n8AAU1rog
Message-ID: <255B9BB34FB7D647A506DC292726F6E112907A695F@WSMSG3153V.srv.dir.telstra.com>
References: <20110727131700.23436.11568.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739434986822D@TK5EX14MBXC202.redmond.corp.microsoft.com> <CAC4RtVBx-WrxbXE-DxvEp3EsE3q6oEcrv9XWxteB11AjPMK3Hg@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E11289635128@WSMSG3153V.srv.dir.telstra.com> <1314767698.36186.YahooMailNeo@web31808.mail.mud.yahoo.com> <255B9BB34FB7D647A506DC292726F6E1128DB1DE6E@WSMSG3153V.srv.dir.telstra.com> <1318350042.89721.YahooMailNeo@web31810.mail.mud.yahoo.com> <255B9BB34FB7D647A506DC292726F6E1129072392A@WSMSG3153V.srv.dir.telstra.com> <4E955C01.40603@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C238C90@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E95A987.1000203@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C239299@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E95DB3B.2040802@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C23936C@TK5EX14MBXC284.redmond.corp.microsoft.com> <4E95DDE6.3080502@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C239402@TK5EX14MBXC284.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435C239402@TK5EX14MBXC284.redmond.corp.microsoft.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2011 00:38:24 -0000

> One possible syntax is:
>
> Bearer access_token=xyz_-123,more_info=pdq
>
> Ultimately though, the format of the bearer token is outside of the scope of the spec, and up to the participants to determine, including whether to use b64token syntax or params syntax.


It is great to see an example explaining the intention of the "b64token / #auth-param" part of the draft. These details need to be in the spec. Draft 9 makes no mention of an "access_token" parameter for the HTTP header -- in sharp contrast to mentioning such a parameter for the URI query string and POST body mechanisms. Can the "access_token" value be a <token> (as in the above example)? Can it be a <quoted-string>? Can it use RFC5987 (eg access_token*=UTF-8''...)?

Can a client choose the b64token or auth-param option, implying servers MUST support both? Or is it the other way around: servers only have to support b64token so existing servers are compliant without requiring any changes?

I thought the consensus was that bearer tokens were so simple that "Bearer <b64token>" was sufficient. In the unlikely event that more parameters were required in future, a new scheme (eg Bearer2) could be defined. If this is no longer the consensus then lets:

1. Define a single syntax that servers MUST support.
  Authorization: Bearer a="<access_token>"

2. Use a short parameter name, such as "a", saving 10-bytes per request over "access_token". The long name is needed in a URI query string or POST body so the parameter is unambiguous amongst any number of other application-specific parameters. In a Bearer HTTP header there is no such possibility of confusion.

3. Don't allow the value to be either a <token> or <quoted-string> -- just pick one (I suggest <quoted-string>). It doesn't help developers or interop to offer a pointless choice.

4. Allow future comma-separated parameters, and state that unrecognized parameters MUST be ignored.

5. Add an informative note that some servers might also accept a header of the form "Bearer <access_token>", but clients using this form are not compliant to this spec.

6. Explicitly state that when the type is "bearer" in an OAuth2 token response, the "access_token" MUST only consist of characters that can be represented in a <quoted-string>, ie %x20-7E (assuming <quoted-string> was picked at #3).

7. Recommend that a base64url encoding without padding (of binary data or of UTF-8 encoded text) is a good choice for an "access_token" value (or a few base64url encoded segments separated by dots) as it avoids the need to escape characters in most situations.

--
James Manger

v2.23.0 | Report a Bug | By Email