IETF Logo Mail Archive

Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?

Mike Jones <Michael.Jones@microsoft.com> Wed, 04 January 2012 22:17 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B47321F85C2 for <oauth@ietfa.amsl.com>; Wed, 4 Jan 2012 14:17:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.529
X-Spam-Level:
X-Spam-Status: No, score=-3.529 tagged_above=-999 required=5 tests=[AWL=0.069, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FRA-ZI6fqHk5 for <oauth@ietfa.amsl.com>; Wed, 4 Jan 2012 14:17:09 -0800 (PST)
Received: from AM1EHSOBE004.bigfish.com (am1ehsobe004.messaging.microsoft.com [213.199.154.207]) by ietfa.amsl.com (Postfix) with ESMTP id CFC4421F85BF for <oauth@ietf.org>; Wed, 4 Jan 2012 14:17:08 -0800 (PST)
Received: from mail38-am1-R.bigfish.com (10.3.201.251) by AM1EHSOBE004.bigfish.com (10.3.204.24) with Microsoft SMTP Server id 14.1.225.23; Wed, 4 Jan 2012 22:17:08 +0000
Received: from mail38-am1 (localhost [127.0.0.1]) by mail38-am1-R.bigfish.com (Postfix) with ESMTP id DC146180180; Wed, 4 Jan 2012 22:17:07 +0000 (UTC)
X-SpamScore: -48
X-BigFish: VS-48(zz9371I1415J2174M936eKc85fh146fK542M1432N98dKzz1202hzz8275ch1033IL8275bh8275dhz2fh2a8h668h839h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail38-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail38-am1 (localhost.localdomain [127.0.0.1]) by mail38-am1 (MessageSwitch) id 1325715426798943_13152; Wed, 4 Jan 2012 22:17:06 +0000 (UTC)
Received: from AM1EHSMHS001.bigfish.com (unknown [10.3.201.240]) by mail38-am1.bigfish.com (Postfix) with ESMTP id 9753E5E0049; Wed, 4 Jan 2012 22:17:06 +0000 (UTC)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS001.bigfish.com (10.3.207.101) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 4 Jan 2012 22:17:04 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.180]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.02.0247.005; Wed, 4 Jan 2012 14:16:59 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, William Mills <wmills@yahoo-inc.com>
Thread-Topic: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?
Thread-Index: AQHMyk7k0nsxP6uHFU2ycTUC8uzaDZX7CnqQgACLbwD//3oSIIAAieYA//97QxCAAIt2AIABo7eA//9/gHA=
Date: Wed, 04 Jan 2012 22:17:02 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435F7A9464@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435F763122@TK5EX14MBXC283.redmond.corp.microsoft.com> <F6FCE30E-20FE-4FCD-AC31-AB227A42F2D2@mnot.net> <4E1F6AAD24975D4BA5B16804296739435F772D1D@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EEF13F1.7030409@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F78F5BB@TK5EX14MBXC283.redmond.corp.microsoft.com> <4EFD91B4.5050904@gmx.de> <4E1F6AAD24975D4BA5B16804296739435F790386@TK5EX14MBXC283.redmond.corp.microsoft.com> <1325619340.463.YahooMailNeo@web31808.mail.mud.yahoo.com> <4E1F6AAD24975D4BA5B16804296739435F7936E7@TK5EX14MBXC283.redmond.corp.microsoft.com> <1325620772.48511.YahooMailNeo@web31802.mail.mud.yahoo.com> <4E1F6AAD24975D4BA5B16804296739435F79376F@TK5EX14MBXC283.redmond.corp.microsoft.com> <1325621624.9908.YahooMailNeo@web31808.mail.mud.yahoo.com> <4E1F6AAD24975D4BA5B16804296739435F793829@TK5EX14MBXC283.redmond.corp.microsoft.com> <1325623068.88228.YahooMailNeo@web31816.mail.mud.yahoo.com> <5E5EA7F9-B4A0-4DCB-801C-3C0F4EC36A1E@ve7jtb.com>
In-Reply-To: <5E5EA7F9-B4A0-4DCB-801C-3C0F4EC36A1E@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.73]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435F7A9464TK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Julian Reschke <julian.reschke@gmx.de>, Mark Nottingham <mnot@mnot.net>, Barry Leiba <barryleiba@computer.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 22:17:16 -0000

There are actually two parts to "this" as I see it:
1.  Defining the syntax for the acceptable contents of the scope, error, error_description, and error_uri parameters.
2.  Defining the means by which these values are transmitted in WWW-Authenticate response header fields for Bearer tokens.

I would be fine seeing part 1 added to the core spec.  (In fact, there is a tracked issue OAuth ticket 27<http://trac.tools.ietf.org/wg/oauth/trac/ticket/27> requiring that this occur for the scope parameter.)  Given that the core spec is, by design, agnostic of the method used to access protected resource (including being agnostic of the use of the WWW-Authenticate field by the Bearer spec), I believe that it would be inappropriate to add part 2 to the core spec.

                                                                Cheers,
                                                                -- Mike

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Wednesday, January 04, 2012 1:40 PM
To: William Mills
Cc: Mike Jones; Julian Reschke; Mark Nottingham; Barry Leiba; OAuth WG
Subject: Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?

You are correct.  the Core spec should include this.  However for one reason or another it is not in the core spec and probably will not be, given that it is in last call.

One way or other we need to identify the correct answer.

John B.

On 2012-01-03, at 5:37 PM, William Mills wrote:


OK, then the core spec should.

________________________________
From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
To: William Mills <wmills@yahoo-inc.com<mailto:wmills@yahoo-inc.com>>; Julian Reschke <julian.reschke@gmx.de<mailto:julian.reschke@gmx.de>>
Cc: Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>>; Barry Leiba <barryleiba@computer.org<mailto:barryleiba@computer.org>>; OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>>
Sent: Tuesday, January 3, 2012 12:20 PM
Subject: RE: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?
Sorry, I should have been more precise.  The Core spec doesn't define how to transmit these fields in the WWW-Authenticate response header field.  The Bearer spec does.

                                                                -- Mike

From: William Mills [mailto:wmills@yahoo-inc.com]<mailto:[mailto:wmills@yahoo-inc.com]>
Sent: Tuesday, January 03, 2012 12:14 PM
To: Mike Jones; Julian Reschke
Cc: Mark Nottingham; Barry Leiba; OAuth WG
Subject: Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?

http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-11.2.2 certainly has these as predefined registered parameters.  If the definition there isn't strong enough, or in that spec, we should fix that.  That is where these should be defined.

________________________________
From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
To: William Mills <wmills@yahoo-inc.com<mailto:wmills@yahoo-inc.com>>; Julian Reschke <julian.reschke@gmx.de<mailto:julian.reschke@gmx.de>>
Cc: Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>>; Barry Leiba <barryleiba@computer.org<mailto:barryleiba@computer.org>>; OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>>
Sent: Tuesday, January 3, 2012 12:00 PM
Subject: RE: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?
The core spec doesn't include these parameters.

From: William Mills [mailto:wmills@yahoo-inc.com]<mailto:[mailto:wmills@yahoo-inc.com]>
Sent: Tuesday, January 03, 2012 12:00 PM
To: Mike Jones; Julian Reschke
Cc: Mark Nottingham; Barry Leiba; OAuth WG
Subject: Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?

Why is Bearer dealing with this at all?  the BNF for that stuff should be part of the core spec, and additional values perhaps defined in Bearer.

________________________________
From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
To: William Mills <wmills@yahoo-inc.com<mailto:wmills@yahoo-inc.com>>; Julian Reschke <julian.reschke@gmx.de<mailto:julian.reschke@gmx.de>>
Cc: Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>>; Barry Leiba <barryleiba@computer.org<mailto:barryleiba@computer.org>>; OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>>
Sent: Tuesday, January 3, 2012 11:46 AM
Subject: RE: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?
This is about the syntax for the scope, error, and error_description parameters.  The pertinent text from Section 3 <http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15#section-3> is:

   Producers of "scope" strings MUST NOT use characters outside the set
   %x21 / %x23-5B / %x5D-7E for representing the scope values and %x20
   for the delimiter.  Producers of "error" and "error_description"
   strings MUST NOT use characters outside the set %x20-21 / %x23-5B /
   %x5D-7E for representing these values.  Producers of "error-uri"
   strings MUST NOT use characters outside the set %x21 / %x23-5B /
   %x5D-7E for representing these values.  Furthermore, "error-uri"
   strings MUST conform to the URI-Reference syntax.  In all these
   cases, no character quoting will occur, as senders are prohibited
   from using the %5C ('\') character.

                                                            Cheers,
                                                            -- Mike

From: William Mills [mailto:wmills@yahoo-inc.com]<mailto:[mailto:wmills@yahoo-inc.com]>
Sent: Tuesday, January 03, 2012 11:36 AM
To: Mike Jones; Julian Reschke
Cc: Mark Nottingham; Barry Leiba; OAuth WG
Subject: Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?

Is all this only around the scope parameter?  My mail cited below is with regards to the character set for a valid scope parameter, which we should be able to define and then lean on the HTTPbis spec for the actual parameter syntax.

________________________________
From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
To: Julian Reschke <julian.reschke@gmx.de<mailto:julian.reschke@gmx.de>>
Cc: Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>>; Barry Leiba <barryleiba@computer.org<mailto:barryleiba@computer.org>>; OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>>
Sent: Friday, December 30, 2011 3:19 PM
Subject: Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?

I did already back the statement that this is the working group consensus with the e-mails attached in this note sent to you on December 12, 2011:
  - http://www.ietf.org/mail-archive/web/oauth/current/msg08042.html

But since that apparently wasn't convincing to you that this working group decision represents more than "just me disagreeing with you", here are references to individual messages referenced in the above e-mail:
  - Eran Hammer-Lahav: http://www.ietf.org/mail-archive/web/oauth/current/msg07698.html
  - John Bradley:  http://www.ietf.org/mail-archive/web/oauth/current/msg07699.html
  - William Mills:  http://www.ietf.org/mail-archive/web/oauth/current/msg07700.html
  - Mike Jones:  http://www.ietf.org/mail-archive/web/oauth/current/msg07701.html
  - Phil Hunt:  http://www.ietf.org/mail-archive/web/oauth/current/msg07702.html
  - Justin Richer:  http://www.ietf.org/mail-archive/web/oauth/current/msg07692.html

As for your assertion that the specs are in conflict, yes, the Bearer spec includes a different decision than a RECOMMENDED clause in the HTTPbis spec (which was added after the Bearer text was already in place).  However, it is not violating any MUST clauses in the HTTPbis spec.  Given that no MUSTS are violated, I don't see it mandatory for this tension to be resolved in favor of one spec or the other in order for both to be approved as RFCs.  I look forward to seeing that happen soon in both cases (and for the OAuth core spec as well).

                Best wishes,
                -- Mike

-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de<mailto:julian.reschke@gmx.de>]
Sent: Friday, December 30, 2011 2:26 AM
To: Mike Jones
Cc: Barry Leiba; Mark Nottingham; OAuth WG
Subject: Re: auth-param syntax, was: [OAUTH-WG] OK to post OAuth Bearer draft 15?

On 2011-12-29 22:18, Mike Jones wrote:
> You proposed, Julian "3. Do not specify the ABNF. The ABNF of the WWW-Authenticate is defined in HTTPbis. Just state the names of the parameters, their syntax *after* parsing and their semantics."
>
> About some of Mark Nottingham's comments, Barry wrote "Let me point out that "this represents working-group consensus" is not always a valid response.  If the working group has actually considered the *issue*, that might be OK.  But if there's consensus for the chosen solution and someone brings up a *new* issue with it, that issue needs to be addressed anew."
>
> Relative to these two statements, I believe that I should remark at this point that your proposed semantics of only considering the syntax after potential quoting was explicitly considered earlier by the working group and rejected.  The consensus, instead, was for the present "no quoting will occur for legal inputs" semantics.

It would be helpful if you could back this statement with pointers to mails. As far as I can tell it's just you disagreeing with me.

Back to the facts:

a) the bearer spec defines an HTTP authentication scheme, and normatively refers to HTTPbis Part7 for that

b) HTTPbis recommends new scheme definitions not to have their own ABNF, as the header field syntax is defined by HTTPbis, not the individual scheme

c) the bearer spec defines it's own ABNF nevertheless

So the two specs are in conflict, and we should resolve the conflict one way or the other.

If you disagree with the recommendation in HTTPbis, then you really really should come over to HTTPbis WG and argue your point of view.

If you agree with it, but think that the bearer spec can't follow the recommendation, then it would be good to explain the reasoning (optimally in the spec).

If you agree with it, and think the bearer spec *could* follow it, then... change it, by all means.

Anyway, if this issue isn't resolved before IETF LC then it will be raised again at that time.


> I believe that in the New Year the chairs and area directors will need to decide how to proceed on this issue.  (The working group consensus, as I see it, is already both well-informed and clear on this point, but I understand that that's not the only consideration.)  It would be good to see the spec finished shortly.
> ...

Best regards, Julian



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email