Re: [OAUTH-WG] Proposed resolution for issue 26
"Manger, James H" <James.H.Manger@team.telstra.com> Wed, 28 September 2011 03:48 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5397F21F8BDC for <oauth@ietfa.amsl.com>; Tue, 27 Sep 2011 20:48:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.432
X-Spam-Level:
X-Spam-Status: No, score=-2.432 tagged_above=-999 required=5 tests=[AWL=-1.531, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0IqI3YSGY3qj for <oauth@ietfa.amsl.com>; Tue, 27 Sep 2011 20:48:21 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id 2E21B21F8CBD for <oauth@ietf.org>; Tue, 27 Sep 2011 20:48:13 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.68,453,1312120800"; d="scan'208";a="49041916"
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipocvi.tcif.telstra.com.au with ESMTP; 28 Sep 2011 13:50:54 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,6482"; a="37866575"
Received: from wsmsg3704.srv.dir.telstra.com ([172.49.40.197]) by ipcbvi.tcif.telstra.com.au with ESMTP; 28 Sep 2011 13:50:54 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3704.srv.dir.telstra.com ([172.49.40.197]) with mapi; Wed, 28 Sep 2011 13:50:53 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Wed, 28 Sep 2011 13:50:52 +1000
Thread-Topic: [OAUTH-WG] Proposed resolution for issue 26
Thread-Index: Acx5+RoYuC5sLQs0Spy/pi+T441Q9ABABAUAAGEPyiAAQvblAA==
Message-ID: <255B9BB34FB7D647A506DC292726F6E1128FF826E5@WSMSG3153V.srv.dir.telstra.com>
References: <4E1F6AAD24975D4BA5B16804296739435C1FC6A1@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAC4RtVDOPaMif55L6JAU4C8aERHgt6M0ntet7GKwgQJbUQKMZw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739435C2148B5@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435C2148B5@TK5EX14MBXC285.redmond.corp.microsoft.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Proposed resolution for issue 26
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2011 03:48:22 -0000
I'll have another go trying to explain the problem I see with the scope parameter in the Bearer spec. Consider a French social network that decides to offer an API using OAuth2. It chooses 3 scope values for parts of the API related to family, friends, and business colleagues: * "famille" * "ami" * "collègues" Let's focus on the last scope. The site describes the scope and its semantics in HTML developer docs. That works. <dt>collègues</dt><dd>...</dd> Client apps construct authorization URIs to which users are sent. That works. https://example.fr/authz?scope=coll%C3%A8gues... The authorization server issues credentials in a JSON token response. That works. { "access_token":"SlAV32hkKG", "scope":"coll\u00E8gues", ...} The authorization server also supports implicit grants. That works. Location: https://app.client.org/callback#scope=coll%C3%A8gues... Client apps request protected resources (without needing to mention scope). That works. Authorization: Bearer vF9dft4qmT A protected resource server responds with a 401 error when a bearer token is wrong. They don't know what to put in the HTTP response header scope parameter: "collègues" does not fit. One server knows HTTP headers have historically used ISO-8859-1. WWW-Authenticate: Bearer scope="coll<E8>gues", error_description="opps"... Another server sees that error_description is specified as UTF-8 so uses that. WWW-Authenticate: Bearer scope="coll<C3><A8>gues", error_description="opps"... A third server reasons that the value will be copied to an authz URI so uses URI-escaping. WWW-Authenticate: Bearer scope="coll%C3%A8gues", error_description="opps"... A fourth server thinks JSON-escaping looks most like HTTP's quoted-string quoting (both use '\'). WWW-Authenticate: Bearer scope="coll\u00E8gues", error_description="opps"... A fifth uses RFC 5987 "Character Set and Language Encoding for HTTP Header Field Parameters": WWW-Authenticate: Bearer scope*=UTF-8''coll%C3%A8gues, error_description="opps"... It is a total interoperability failure for the client apps. The paragraph in the Bearer spec saying the encoding of the scope values is up to each "particular deployment context" looks like a cruel joke to the app and library developers. -- James Manger -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones Sent: Tuesday, 27 September 2011 5:03 AM To: Barry Leiba Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Proposed resolution for issue 26 Sounds good to me. Are others good with this wording? -- Mike -----Original Message----- From: barryleiba.mailing.lists@gmail.com [mailto:barryleiba.mailing.lists@gmail.com] On Behalf Of Barry Leiba Sent: Saturday, September 24, 2011 6:33 AM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Proposed resolution for issue 26 > My proposed resolution is that %-encoding not be required in the > specification I agree with your analysis, now that I see it laid out clearly. I would feel better, though, if there were text in the document that explained that to others, who read it later. Perhaps, using your words, we could make this change to section 2.4: OLD The "scope" attribute is a space-delimited list of scope values indicating the required scope of the access token for accessing the requested resource. The "scope" attribute MUST NOT appear more than once. NEW The "scope" attribute is a space-delimited list of scope values indicating the required scope of the access token for accessing the requested resource. The "scope" attribute MUST NOT appear more than once. Interpretation of scope strings requires semantic agreement on the meaning of the scope strings between the parties participating the OAuth flow. Should an encoding be used for scope strings in a particular deployment context, participants have to have agreed upon that encoding, just as they agree on other OAuth configuration parameters. Does that work? Barry
- [OAUTH-WG] Proposed resolution for issue 26 Mike Jones
- Re: [OAUTH-WG] Proposed resolution for issue 26 Barry Leiba
- Re: [OAUTH-WG] Proposed resolution for issue 26 Manger, James H
- Re: [OAUTH-WG] Proposed resolution for issue 26 Mike Jones
- Re: [OAUTH-WG] Proposed resolution for issue 26 Mike Jones
- Re: [OAUTH-WG] Proposed resolution for issue 26 Manger, James H
- Re: [OAUTH-WG] Proposed resolution for issue 26 Manger, James H
- Re: [OAUTH-WG] Proposed resolution for issue 26 Barry Leiba
- Re: [OAUTH-WG] Proposed resolution for issue 26 Julian Reschke
- Re: [OAUTH-WG] Proposed resolution for issue 26 Mike Jones
- Re: [OAUTH-WG] Proposed resolution for issue 26 Marius Scurtescu
- Re: [OAUTH-WG] Proposed resolution for issue 26 Brian Campbell
- Re: [OAUTH-WG] Proposed resolution for issue 26 Mark Lentczner
- Re: [OAUTH-WG] Proposed resolution for issue 26 Julian Reschke
- Re: [OAUTH-WG] Proposed resolution for issue 26 Justin Richer
- Re: [OAUTH-WG] Proposed resolution for issue 26 Julian Reschke