Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)

[Evan Gilbert <uidude@google.com>]

On Wed, May 5, 2010 at 10:59 AM, Evan Gilbert <uidude@google.com> wrote:

>
>
> On Wed, May 5, 2010 at 10:47 AM, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
>> Even if not supported directly by the platform there are many JSON
>> libraries available these days.
>>
>
> It's not hard to add JSON support, but it's a factor in the choice.
>
>
>>
>> http://www.json.org/ lists 3 libraries for Objective-C alone.
>>
>> Moreover, the JSON documents we are discussing now are simple, something
>> like
>>
>>
>> { "access_token": "SlAV32hkKG", "expires_in": "3600", "refresh_token":
>> "8xLOxBtZp8" }
>>
>> Parsing such a document is not a challenge even without library support.
>>
>
> Per notes above - the client needs to do understand form encoding anyway.
> The client needs to parse the redirect_uri and also needs to generate form
> encoded requests.
>

Also, for the User-Agent flow, parsing potentially untrusted JSON in
JavaScript is difficult. The normal path of using eval() is unsafe and leads
to XSS holes - you need to run regex matcher to verify that the JSON content
has no executable code.


>
>
>>
>> Regarding code size: What really matters on mobile devices from my point
>> of view is the size of data to be transmitted. Here, JSON is much more
>> compact than XML.
>>
>> regards,
>> Torsten.
>>
>> Am 05.05.2010 17:42, schrieb Marius Scurtescu:
>>
>>  On Wed, May 5, 2010 at 8:28 AM, Eran Hammer-Lahav<eran@hueniverse.com>
>>>  wrote:
>>>
>>>
>>>> I'll add something to the draft and we'll discuss it. There is enough
>>>> consensus on a single JSON response format.
>>>>
>>>>
>>> Yesterday I got the following feedback:
>>>
>>> On Tue, May 4, 2010 at 5:43 PM, Greg Robbins<grobbins@google.com>
>>>  wrote:
>>>
>>>
>>>> Using JSON on the iPhone requires developers to drag in source code for
>>>> a
>>>> third-party library.
>>>>
>>>> If their app isn't already relying on JSON for some other purpose, then
>>>> adding a third-party library is a somewhat substantial annoyance,
>>>> particularly for a mobile app where code size is important.
>>>>
>>>> If OAuth 2 is only intended for use with JSON APIs, then returning all
>>>> responses as JSON is reasonable. Otherwise, it's not so reasonable. A
>>>> full
>>>> JSON parser is non-trivial, and seems like overkill for simple
>>>> responses.
>>>>
>>>> The iPhone OS does have libxml2 and an event-style XML parser, but no
>>>> really
>>>> easy way to extract data from XML, either.
>>>>
>>>> Form-style responses are much more straightforward to worth with given
>>>> simple string-manipulation utilities.
>>>>
>>>>
>>> If the above is true, then I am not so sure about JSON anymore. Lots
>>> of phones and devices will have problems with it.
>>>
>>> Marius
>>>
>>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>