IETF Logo Mail Archive

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

"Manger, James H" <James.H.Manger@team.telstra.com> Fri, 21 May 2010 03:42 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 454293A6A5A for <oauth@core3.amsl.com>; Thu, 20 May 2010 20:42:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.544
X-Spam-Level: *
X-Spam-Status: No, score=1.544 tagged_above=-999 required=5 tests=[AWL=-0.155, BAYES_50=0.001, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TGjwJvNFiHhv for <oauth@core3.amsl.com>; Thu, 20 May 2010 20:42:08 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by core3.amsl.com (Postfix) with ESMTP id 120133A7CFD for <oauth@ietf.org>; Thu, 20 May 2010 19:33:40 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.53,274,1272808800"; d="scan'208";a="3406194"
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipocvi.tcif.telstra.com.au with ESMTP; 21 May 2010 12:33:33 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,5988"; a="2212652"
Received: from wsmsg3751.srv.dir.telstra.com ([172.49.40.172]) by ipcbvi.tcif.telstra.com.au with ESMTP; 21 May 2010 12:33:33 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3751.srv.dir.telstra.com ([172.49.40.172]) with mapi; Fri, 21 May 2010 12:33:33 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Marius Scurtescu <mscurtescu@google.com>
Date: Fri, 21 May 2010 12:33:31 +1000
Thread-Topic: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
Thread-Index: Acr4NzUWY2FTmG8xQB+BiXl0erTnUgARvBng
Message-ID: <255B9BB34FB7D647A506DC292726F6E112638877F9@WSMSG3153V.srv.dir.telstra.com>
References: <ADB082E11CEB5D49A3CC03E49DCECE02378CB8A679@P3PW5EX1MB01.EX1.SECURESERVER.NET> <7C01E631FF4B654FA1E783F1C0265F8C4A42BFCC@TK5EX14MBXC117.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B69895B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimiSqQjOsxDMxFGjIkP3xDQVHge6OJUPu9CYxHf@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B6989D0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <09A6EF98-7406-43D8-9B1C-C16E38CA35D1@gmail.com> <7C01E631FF4B654FA1E783F1C0265F8C4A4312FC@TK5EX14MBXC117.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B699132@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinlwZpM4PBHSR1t1whWR2p38PHq9VpcJw4p77vs@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112637B8285@WSMSG3153V.srv.dir.telstra.com> <AANLkTin6LlrnLNAmubR2ez21ZbukcNv_Ag7jB_oUHDbY@mail.gmail.com>
In-Reply-To: <AANLkTin6LlrnLNAmubR2ez21ZbukcNv_Ag7jB_oUHDbY@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2010 03:42:09 -0000

Marius,


>> I wouldn't be surprised if, in some scenarios, the token info gets too big to fit in a URI. In that case even the user-agent flow will need to make a direct request to get the token info, which is more likely to be delivered as JSON. OpenID and SAML have found they need this (eg artefact flows).

> In this case the user-agent flow becomes the web server flow, which
> does this already, no?

The hassle is that the client chooses type=user_agent at the start so the authz server cannot change this to a web_server flow later if the response doesn't fit in the redirect URI.

The spec should change this -- allowing the authz server to choose to respond with token details in the redirect URI or with token details available at a token URI.
When it is the server's choice, the client needs to handle both possibilities.




On the other issues:

> parsing JSON in JavaScript can be tricky

This is not true.
My understanding is that the current versions of Firefox, IE, Opera, Chrome, and Safari all support JSON.parse().
In older browsers you may need to use eval(), but the JSON RFC (and Evan's email) show how to make that safe with 3 lines of code; or use json2.js (available from json.org) that implements JSON.parse() for older browsers.


> decoding Base64 is yet one more thing, much more complicated than percent decoding.

Base64 is so widely used that I don't consider it unreasonable to require.
Base64url is less common, but just as simple.
I don't think it is more complicated that %-decoding.

--
James Manger

v2.23.0 | Report a Bug | By Email