Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syntax comments
Mike Jones <Michael.Jones@microsoft.com> Sat, 24 September 2011 00:10 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AFAA21F8564 for <oauth@ietfa.amsl.com>; Fri, 23 Sep 2011 17:10:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.484
X-Spam-Level:
X-Spam-Status: No, score=-10.484 tagged_above=-999 required=5 tests=[AWL=0.114, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ktqinn74TfCh for <oauth@ietfa.amsl.com>; Fri, 23 Sep 2011 17:10:34 -0700 (PDT)
Received: from smtp.microsoft.com (mailc.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 32B3821F8CF1 for <oauth@ietf.org>; Fri, 23 Sep 2011 17:10:33 -0700 (PDT)
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (157.54.80.48) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 23 Sep 2011 17:13:08 -0700
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.142]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.01.0339.002; Fri, 23 Sep 2011 17:13:07 -0700
From: Mike Jones <Michael.Jones@microsoft.com>
To: Julian Reschke <julian.reschke@gmx.de>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syntax comments
Thread-Index: Acx6TrJmwcQz5MGcQbCm3dgw87x/xA==
Date: Sat, 24 Sep 2011 00:13:06 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435C1FD669@TK5EX14MBXC285.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.76]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435C1FD669TK5EX14MBXC285r_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syntax comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2011 00:10:37 -0000
Thanks for your comments, Julian. Responses to them, which reflect the content of draft 09, follow inline.
-- Mike
-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Julian Reschke
Sent: Tuesday, August 09, 2011 5:07 AM
To: OAuth WG (oauth@ietf.org)
Subject: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syntax comments
Hi there,
below a few comments on dependencies to HTTPbis, and the actual header field syntax.
Best regards,
Julian
-- snip --
1.1. Notational Conventions
...
This document uses the Augmented Backus-Naur Form (ABNF) notation of
[I-D.ietf-httpbis-p1-messaging], which is based upon the Augmented
Backus-Naur Form (ABNF) notation of [RFC5234]. Additionally, the
following rules are included from [RFC2617]: auth-param and realm;
from [RFC3986]: URI-Reference; and from
[I-D.ietf-httpbis-p1-messaging]: RWS and quoted-string.
auth-param and realm should come from I-D.ietf-httpbis-p7-auth (optimally from a version >= 16 which we should get out before the end of the month).
Done
2. Authenticated Requests
Clients SHOULD make authenticated requests with a bearer token using
the "Authorization" request header field defined by [RFC2617].
-> HTTPbis P7
Done
2.1. The Authorization Request Header Field
The "Authorization" request header field is used by clients to make
authenticated requests with bearer tokens. The client uses the
"Bearer" authentication scheme to transmit the access token in the
request.
For example:
GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer vF9dft4qmT
The "Authorization" header field uses the framework defined by
[RFC2617] as follows:
credentials = "Bearer" RWS access-token
access-token = 1*( quoted-char / <"> )
quoted-char = ALPHA / DIGIT /
"!" / "#" / "$" / "%" / "&" / "'" / "(" / ")" /
"*" / "+" / "-" / "." / "/" / ":" / "<" / "=" /
">" / "?" / "@" / "[" / "]" / "^" / "_" / "`" /
"{" / "|" / "}" / "~" / "\" / "," / ";"
This is incompatible with the RFC2617 grammar which requires auth-params.
HTTPbis P7 will introduce an alternative syntax ("b64token"), but that is restricted to a single instance and thus not extensible.
I recommend to use auth-param syntax instead.
Thanks for pointing this out. I changed the credentials syntax to the following, which directly uses the syntax in draft-ietf-httpbis-p7-auth-16 (and so invents no new syntax):
credentials = "Bearer" 1*SP ( b64token / #auth-param )
2.2. Form-Encoded Body Parameter
...
o The entity-body follows the encoding requirements of the
"application/x-www-form-urlencoded" content-type as defined by
[W3C.REC-html401-19991224].
o The HTTP request entity-header includes the "Content-Type" header
field set to "application/x-www-form-urlencoded".
What about parameters?
Is there specific language either allowing or ruling out parameters to the content-type value that you believe would be appropriate? Can you provide a concrete motivating example?
o The HTTP request method is one for which a body is permitted to be
present in the request. In particular, this means that the "GET"
method MUST NOT be used.
GET permits a body; it's just not useful.
Changed sentence to "The HTTP request method is one for which the request body has defined semantics", per your suggestion in a private thread.
2.4. The WWW-Authenticate Response Header Field
If the protected resource request does not include authentication
credentials or contains an invalid access token, the resource server
MUST include the HTTP "WWW-Authenticate" response header field; it
MAY include it in response to other conditions as well. The
"WWW-Authenticate" header field uses the framework defined by
[RFC2617] as follows:
-> HTTPbis P7
Done
challenge = "Bearer" [ RWS 1#param ]
-> please stick to the syntax defined in the authentication framework,
so use "auth-param", and just define the allowed parameters separately.
I have changed the RWS to 1*SP to match httpbis-p7-auth. I retained the "param" definition so as to be able to clearly syntactically limit the acceptable set of parameters.
param = realm / scope /
error / error-desc / error-uri /
auth-param
scope = "scope" "=" <"> scope-v *( SP scope-v ) <">
scope-v = 1*quoted-char
-> This seems to override the quoted-string syntax. Don't. Generic
parsers *will* use the quoted-string syntax.
quoted-char = ALPHA / DIGIT /
"!" / "#" / "$" / "%" / "&" / "'" / "(" / ")" /
"*" / "+" / "-" / "." / "/" / ":" / "<" / "=" /
">" / "?" / "@" / "[" / "]" / "^" / "_" / "`" /
"{" / "|" / "}" / "~" / "\" / "," / ";"
This issue is tracked as issue #26. The proposed resolution to this issue is being discussed in a separate thread.
error = "error" "=" quoted-string
error-desc = "error_description" "=" quoted-string
error-uri = "error_uri" "=" <"> URI-reference <">
-> missing I18N considerations
The draft now contains: "the resource server MAY include the error_description attribute to provide developers a UTF-8 encoded human-readable explanation". (The UTF-8 language now matches the core spec.)
There was an explicit working decision not to include language codes. This is recorded in the meeting minutes sent to the list by Hannes Tschofenig on 6/3/11. The key part of the minutes is:
*** Error Description ***
Agreement among the participants that the error codes are meant for consumption by the developer rather than the end user. Hence, language codes are not important nor a human readable version that is supposed to be understood by end users.
-> weird syntax (why underscore?)
The OAuth specs have always used underscores to separate words in protocol messages.
-> the generic syntax allows token in addition to quoted-string; it's
pointless to rule that out here
The reply syntax is intentionally restricted to simplify implementations.
4. IANA Considerations
-> If you have a dependency on HTTPbis then you should also add the
registration for the authentication scheme as defined in HTTPbis P7.
Done
- [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syn… Julian Reschke
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Peter Saint-Andre
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Julian Reschke
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… William Mills
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Julian Reschke
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Julian Reschke
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Julian Reschke