IETF Logo Mail Archive

Re: [OAUTH-WG] Issue: prefixing parameters with oauth_

Eran Hammer-Lahav <eran@hueniverse.com> Tue, 20 April 2010 14:55 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 778C928C13A for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 07:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.473
X-Spam-Level:
X-Spam-Status: No, score=-2.473 tagged_above=-999 required=5 tests=[AWL=0.126, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ly+E28EBh4wB for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 07:55:16 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 001C228C0FE for <oauth@ietf.org>; Tue, 20 Apr 2010 07:55:14 -0700 (PDT)
Received: (qmail 13000 invoked from network); 20 Apr 2010 14:55:04 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 20 Apr 2010 14:55:04 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Tue, 20 Apr 2010 07:55:04 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: John Kemp <john@jkemp.net>, Peter Saint-Andre <stpeter@stpeter.im>
Date: Tue, 20 Apr 2010 07:55:10 -0700
Thread-Topic: [OAUTH-WG] Issue: prefixing parameters with oauth_
Thread-Index: AcrgdZULybGviQvdTTm3vWz58Mp66gAIbp+g
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F44B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <14411661-A227-4DCA-86B3-A9C5FB8055D7@gmail.com> <4BCD31BF.5090701@stpeter.im> <0420973C-FE87-4969-9986-889173D74342@jkemp.net>
In-Reply-To: <0420973C-FE87-4969-9986-889173D74342@jkemp.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Marius Scurtescu <marius.scurtescu@gmail.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue: prefixing parameters with oauth_
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 14:55:17 -0000

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of John Kemp
> Sent: Tuesday, April 20, 2010 3:38 AM
> To: Peter Saint-Andre
> Cc: Marius Scurtescu; OAuth WG
> Subject: Re: [OAUTH-WG] Issue: prefixing parameters with oauth_
> 
> On Apr 20, 2010, at 12:46 AM, Peter Saint-Andre wrote:
> 
> > On 4/18/10 6:46 PM, Dick Hardt wrote:
> >
> >> Given the practice that the authorization endpoint and the
> >> redirect_uri can contain URI query parameters, then differentiating
> >> between application specific query parameters and OAuth protocol
> >> parameters by prefixing the OAuth parameters with oauth_ would seem
> a
> >> useful way to minimize conflicts.
> >
> > Can't application developers avoid conflicts by giving their
> > parameters names other than those already used in OAuth?
> 
> Is every application developer (those using an OAuth library, or product)
> familiar with the names that are used in the OAuth spec?

First, the must be or how else would they interact with it or support their developers. If they are installing a client and server products, their vendor should make sure to provide a fully working solution.

The OAuth flow endpoints (as opposed to protected resource endpoints) are an *application* endpoint. This is not some add-on protocol or an extension of existing framework, or a hack. This is a fully specified application API which requires and deserves treatment like a separate, standalone application. This is not the case when accessing a protected resource which belongs to another application.

It is odd to me that none of these arguments are made for other application APIs such as Portable Contacts [1], Open Social [2], and others, all meant to be implemented within the same platforms and servers as the OAuth flow endpoints. OpenSocial for example, is implemented by a wide range of different platforms, but yet does not have an opensocial_ prefix. Are there reports of conflicts and deployment problems because of that?

The argument made for a prefix is that is *seems* to be useful. However, experience seems to point the other way that a lack of prefix does not break the web. If "seems to be useful" is the bar this working group is setting, we are going to end up with a much bigger, more complex specification.

EHL

[1] http://portablecontacts.net/draft-spec.html
[2] http://www.opensocial.org/Technical-Resources/opensocial-spec-v081/restful-protocol.html

v2.23.0 | Report a Bug | By Email