IETF Logo Mail Archive

Re: [OAUTH-WG] Partially standardized format for access tokens?

John Kemp <john@jkemp.net> Mon, 07 June 2010 17:33 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6B0C28C152 for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 10:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.335
X-Spam-Level:
X-Spam-Status: No, score=0.335 tagged_above=-999 required=5 tests=[BAYES_50=0.001, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ejs1WfvDKDQj for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 10:33:09 -0700 (PDT)
Received: from cpoproxy1-pub.bluehost.com (cpoproxy1-pub.bluehost.com [69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id 4236E3A695A for <oauth@ietf.org>; Mon, 7 Jun 2010 09:39:03 -0700 (PDT)
Received: (qmail 30470 invoked by uid 0); 7 Jun 2010 16:39:04 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy1.bluehost.com with SMTP; 7 Jun 2010 16:39:04 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-Identified-User; b=cCjZC6xK2Ejao0a9Rx5yESEpVJqGflj69o2HG6/BIu250eH89Wj5PZoOSOygLVpzpatVsDejTSId1OWTSUDp3C7k+oQH5QgSrhPol5IfEahqupaOLxbHa5pNbifZSvbH;
Received: from cpe-69-205-56-47.nycap.res.rr.com ([69.205.56.47] helo=[192.168.1.107]) by box320.bluehost.com with esmtpa (Exim 4.69) (envelope-from <john@jkemp.net>) id 1OLfLr-0000PP-Ir; Mon, 07 Jun 2010 10:39:03 -0600
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11263E5DA7C@WSMSG3153V.srv.dir.telstra.com>
Date: Mon, 07 Jun 2010 12:39:00 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <383A9188-1AA6-49FE-95FC-5D6316BD18CD@jkemp.net>
References: <AANLkTinQTV9JJPiftquRbvdqAOHxUXk7QQKCMrmQ4LLK@mail.gmail.com> <B549E6C4-A24D-4032-8A26-89ED58EBAA34@facebook.com> <4C090B6C.9030707@aol.com> <B6D1E6FF-D65F-4FD6-B148-C17550421FC9@facebook.com> <AANLkTilj0xG6SjHrzkd9Ca-N67J7IlsTNAOkyFdjQ62I@mail.gmail.com> <ED86A2AA-56D5-4DC6-B896-48A850EED3B2@facebook.com> <4C0930B2.80802@aol.com> <AANLkTimupEDpBUjg4iwwhPQ41ZKcryMcpVjJumXNIjP0@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E11263E5DA7C@WSMSG3153V.srv.dir.telstra.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
X-Mailer: Apple Mail (2.1078)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 69.205.56.47 authed with john+jkemp.net}
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Partially standardized format for access tokens?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 17:33:16 -0000

On Jun 6, 2010, at 11:14 PM, Manger, James H wrote:

> OAuth2 has a field for AS-to-PR communications via (but opaque to) the client: access_token. Any format indication (like a variety of other details) that an AS wants to convey to the PR via the client app should be *inside* this existing field.

I take your point, I think, that the format is a description of the token, and should thus be "inside" the token. 

However, in this case, what we're calling a token is simply an "opaque string" - an opaque string only becomes a token via some mapping made by some entity (one or more entities) able to make the mapping. 

I think it would be more accurate to call what we currently call token a "token_string" or "artifact" or anything else that indicates that the thing you're passing around often isn't the token itself but a compressed version, or pointer to the actual token. But if we keep calling it token, I still think we should be clear on what it actually is. 

I don't think the "format" which defines the mapping from token string to token belongs inside the token string. 

> 
> Defining an optional prefix for access_token values to indicate the format would work well.
> I suggest a plain text label separated by, say, a "." from the rest of the value. For example:
>  access_token=saml.fhHFhgf6575fhgFGrytr

What is the advantage of doing it this way over having a separate field? What if the format is a URI? 

> There can be an IANA registry for prefixes if that is helpful.

Personally, I'd like to see this solution be a bit more distributed, and a registry isn't.

- johnk

> A service currently supporting a single token format can start its access_token values with "." so at least they will not accidentally clash with any future values that do specify a format.
>  access_token=.6786345_JGJSgfjhsgfhj-ss_s
> A service that will never need token format interop doesn't need to using any prefix (empty or otherwise), and can use dots however it wants.
> 
> 
> 
> P.S. OAuth2 has no explicit statement about allowed chars in an access_token. The <token-id> ABNF in section 5.1 "Authz Request Header" implies 77 ASCII chars are allowed.
> I think the spec should explicitly say access_token values can only use the 66 <unreserved> chars. It avoids escaping issues in XML attributes, XML content, JSON, URIs, form bodies, HTTP headers etc. It is safer (less chance of XSS-style bugs); it can easily support arbitrary text or binary formats by using a base64url encoding.
> 
> -- 
> James Manger
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email