Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
Mike Jones <Michael.Jones@microsoft.com> Fri, 15 June 2012 18:58 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB0CB21F8517 for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:58:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.775
X-Spam-Level:
X-Spam-Status: No, score=-3.775 tagged_above=-999 required=5 tests=[AWL=-0.177, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxJUeZx5TV+V for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:58:29 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe006.messaging.microsoft.com [213.199.154.209]) by ietfa.amsl.com (Postfix) with ESMTP id 64DCF21F851B for <oauth@ietf.org>; Fri, 15 Jun 2012 11:58:28 -0700 (PDT)
Received: from mail31-am1-R.bigfish.com (10.3.201.227) by AM1EHSOBE006.bigfish.com (10.3.204.26) with Microsoft SMTP Server id 14.1.225.23; Fri, 15 Jun 2012 18:57:17 +0000
Received: from mail31-am1 (localhost [127.0.0.1]) by mail31-am1-R.bigfish.com (Postfix) with ESMTP id BA9C320634; Fri, 15 Jun 2012 18:57:16 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -24
X-BigFish: VS-24(zzbb2dI98dI9371Ic85fh148cIzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839hd25hf0ah)
Received-SPF: pass (mail31-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail31-am1 (localhost.localdomain [127.0.0.1]) by mail31-am1 (MessageSwitch) id 1339786628586026_30549; Fri, 15 Jun 2012 18:57:08 +0000 (UTC)
Received: from AM1EHSMHS014.bigfish.com (unknown [10.3.201.249]) by mail31-am1.bigfish.com (Postfix) with ESMTP id 8D204420061; Fri, 15 Jun 2012 18:57:08 +0000 (UTC)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS014.bigfish.com (10.3.207.152) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 15 Jun 2012 18:57:07 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.53]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.02.0309.003; Fri, 15 Jun 2012 18:58:01 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
Thread-Index: AQHNSw5aQ+07XirTWkeEJ2jRd0gB45b7jZDwgAADgx2AAAA4oIAAERNwgAAX256AAABvcA==
Date: Fri, 15 Jun 2012 18:58:01 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436654F381@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <9dbeab60-8fe4-4828-9c52-d7af95378f4c@email.android.com> <0ec59f35-4a66-4719-adf3-114dab0d1d48@email.android.com> <40240328-0247-4278-BB7B-BE89AE130076@ve7jtb.com> <a55ad34e52e0f9755e548106d27c4b8c@treenet.co.nz> <4FDB593B.4080508@aol.com>, <4E1F6AAD24975D4BA5B16804296739436654ABB1@TK5EX14MBXC283.redmond.corp.microsoft.com> <DDC84727-1B5F-48AD-AC3F-DB9700838955@hueniverse.com> <4E1F6AAD24975D4BA5B16804296739436654B001@TK5EX14MBXC283.redmond.corp.microsoft.com> <MLQM-20120615143106586-5342@mlite.mitre.org> <4FDB8499.2050808@mitre.org>
In-Reply-To: <4FDB8499.2050808@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436654F381TK5EX14MBXC283r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 18:58:32 -0000
Justin, it's a useful data point that you already have clients with colon (":") in client_id values (that work because you aren't using HTTP Basic). Thanks for letting us know that.
For the record, I'd be fine if the working group decided that %-encoding of client_id values when used with HTTP Basic was the right thing to do. The Tab strawman was intended to break as few implementations as possible, but I fully recognize that the set of implementations broken by using % for %-encoding may well be the empty set.
Other's thoughts?
Cheers,
-- Mike
From: Justin Richer [mailto:jricher@mitre.org]
Sent: Friday, June 15, 2012 11:53 AM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
So it's been pointed out to me that percent encoding like this would break any clients that already have % in their client_id who are using the Basic auth. My question to the group is: how many of these are out there, really? Do we really have to worry about them? Right now, those are just hyptothetical, whereas clients with a : are real.
Considering there already are (at the moment, technically noncompliant) clients using : who aren't using basic that we're definitely trying to support (otherwise this issue wouldn't be coming up), I would argue in favor of the known-existence side as opposed to the potential-existence side. Which is to say, use percent encoding (which is established and referenceable from another spec) and call it a day.
What *really* bothers me about the strawman proposal is that it's making up a new, arbitrary encoding mechanism for one corner case. This is such a tiny and oddly specific-to-OAuth2 thing that my gut instinct tells me this is going to be either:
1) ignored
2) implemented wrong
3) coupled with some other encoding mechanism for people who want to do other things like internationalization
-- Justin
On 06/15/2012 02:15 PM, Justin Richer wrote:
Why not percent encoding for just colon and percent?
-- Justin
On 06/15/2012 01:30 PM, Mike Jones wrote:
I was asked a question off-list, which I think is worth answering on-line. The question was: Why the Tab character, rather than %-encoding?
Introducing % encoding would break all existing OAuth 2.0 deployments using HTTP Basic. A non-starter...
Tab is legal in HTTP Basic but not in URLs or presently client_ids. It's also a character that can be visibly rendered in an acceptable manner for debugging. The other choices were CR and LF, which are also legal in HTTP Basic but wouldn't render very nicely. ;-)
Cheers,
-- Mike
From: Mike Jones
Sent: Friday, June 15, 2012 9:30 AM
To: 'Eran Hammer'
Cc: George Fletcher; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: RE: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
I agree with Eran that I prefer that this not be underspecified and that an encoding for just colon for just Basic will suffice.
I'd suggested the encoding s/:/<tab>/g as a strawman. Are there any other encoding proposals?
-- Mike
From: Eran Hammer [mailto:eran@hueniverse.com]<mailto:[mailto:eran@hueniverse.com]>
Sent: Friday, June 15, 2012 9:26 AM
To: Mike Jones
Cc: George Fletcher; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
We should not leave this under specified. Picking an encoding for just Basic and just colon is simple enough.
EH
On Jun 15, 2012, at 19:17, "Mike Jones" <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
Based on use cases I'm seeing, believe it's important to allow the use of URIs as client_id values (which means allowing ":" in the client_id string). I'm OK with us either specifying a specific encoding when using them in Basic or simply saying that "When client_ids are used with HTTP Basic that contain characters such as ":" not allowed in HTTP Basic usernames, then the participants will need to agree upon a method of encoding the client_id for use with HTTP Basic.
-- Mike
From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org]<mailto:[mailto:oauth-bounces@ietf.org]> On Behalf Of George Fletcher
Sent: Friday, June 15, 2012 8:48 AM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
+1 for a simple encoding and allowing ':' in the client_id
On 6/13/12 6:53 PM, Amos Jeffries wrote:
On 14.06.2012 06:40, John Bradley wrote:
That would probably work as well. That is why I am not particularly
concerned about excluding the :
We originally used the URI itself, mostly for convenience of
debugging, but there are other potential options.
The authorization server needs to compare the client_id and the
redirect uri. But it could compare the hash with not much more work.
Also a sha256 hash is probably longer than the uri it is hashing.
I am not super concerned with being able to have : in the client_id
John B.
If I'm following all these threads correctly the only explicit problem with URI in client_id is HTTP username field being : terminated.
As such it does not have to be a hash per-se, just an encoding that removes ":" and other reserved characters from the on-wire form *when sent via HTTP*.
AYJ
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… John Bradley
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… John Bradley
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Amos Jeffries
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Jianhua Shao
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Eran Hammer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… George Fletcher
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Brian Campbell
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Eran Hammer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer