IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions

William Mills <wmills@yahoo-inc.com> Fri, 15 June 2012 18:12 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 662E421F859A for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:12:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.522
X-Spam-Level:
X-Spam-Status: No, score=-17.522 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ml39nSfJ62P0 for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:12:51 -0700 (PDT)
Received: from nm14.bullet.mail.bf1.yahoo.com (nm14.bullet.mail.bf1.yahoo.com [98.139.212.173]) by ietfa.amsl.com (Postfix) with SMTP id 9EB7621F858A for <oauth@ietf.org>; Fri, 15 Jun 2012 11:12:50 -0700 (PDT)
Received: from [98.139.214.32] by nm14.bullet.mail.bf1.yahoo.com with NNFMP; 15 Jun 2012 18:12:50 -0000
Received: from [98.139.212.218] by tm15.bullet.mail.bf1.yahoo.com with NNFMP; 15 Jun 2012 18:12:49 -0000
Received: from [127.0.0.1] by omp1027.mail.bf1.yahoo.com with NNFMP; 15 Jun 2012 18:12:49 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 975917.32643.bm@omp1027.mail.bf1.yahoo.com
Received: (qmail 80686 invoked by uid 60001); 15 Jun 2012 18:12:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1339783969; bh=V6pS4+kWY0jg15A1hiAVMFjhp5IOV991aM7t0QnDYzU=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Oex1apaMC8VIgCE7rM1zZakYs3rtJI8rrAcezmSrlUe7KeXI8gr99rC3RfmPNIo6sfCGZ6X6u3Rff7WSMQ3bS0PPtzF/EHVV0xFrMrd+DIoMVVrNaF4FaR7xl58hyUIj7rmlt2e23iww24ftdbjs7ct5q4HEt0QVPhxlvxMNkDQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=T9cDlG7MScmudFVZ/pCPzferp8RiVBbcmX4K2U8RYHfOtLtZWH4accv5pqrPs4G8eteLVntnKwrsUT/IcL09/p4gxliD4CNEqlDFbOSZ/jOzppJcCsZ3bR5JbL2s8muYllfYUQtXoIntlytv0eJ8HBuvvfAljItlgN4eyvnywjw=;
X-YMail-OSG: .eaxovkVM1kgepvTmtphLY1eIZ46hGMzWR0aPNs9So1NUcS jxM5m3pY1WJF7uLN1MmxCYkefNP88SFMrFhpPz_xOulEELQG7b0myIiXRJSx _UQHi06PkrB3vGBW3niHqNqlg01KKitjFSsd3QPaVbwKI_1Tizcs0j6Ioz_P RxbD7tGbfgr2Ihr7.Wv7zT0aUFuVzmL5Nl3jygrxp_AB6WZ69jvgwzFI18Sw WNhdS8njC.0F4Sv0ONifJ57fSj9V6mt3LVT.vc5K8XJpK1fpVHjqF2FBjQnW kjEJzwhD3U_ewrzrxpEFHGqkWFYg7S5RvHFhK2zqMVkCc0o8y.QgQc8ANov_ xUDDP.q8kKumeYgEulL2b6JGyXWuueEpYJwpzzdMoTK1hQ8wr7P3aB1gzCT4 c_7Bfrem6O0aFDkr298OTgF1ehciwPU6vG5w_Qh.DW8eiImVKnu0-
Received: from [209.131.62.115] by web31806.mail.mud.yahoo.com via HTTP; Fri, 15 Jun 2012 11:12:49 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.120.356233
References: <9dbeab60-8fe4-4828-9c52-d7af95378f4c@email.android.com> <0ec59f35-4a66-4719-adf3-114dab0d1d48@email.android.com> <40240328-0247-4278-BB7B-BE89AE130076@ve7jtb.com> <a55ad34e52e0f9755e548106d27c4b8c@treenet.co.nz> <4FDB593B.4080508@aol.com>, <4E1F6AAD24975D4BA5B16804296739436654ABB1@TK5EX14MBXC283.redmond.corp.microsoft.com> <DDC84727-1B5F-48AD-AC3F-DB9700838955@hueniverse.com> <4E1F6AAD24975D4BA5B16804296739436654B001@TK5EX14MBXC283.redmond.corp.microsoft.com>
Message-ID: <1339783969.62797.YahooMailNeo@web31806.mail.mud.yahoo.com>
Date: Fri, 15 Jun 2012 11:12:49 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Mike Jones <Michael.Jones@microsoft.com>, George Fletcher <gffletch@aol.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436654B001@TK5EX14MBXC283.redmond.corp.microsoft.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1055047407-2024870578-1339783969=:62797"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 18:12:52 -0000

Aesthetically this makes my tummy hurt...

That said, I think it will work, and I'm willing to go with it.




>________________________________
> From: Mike Jones <Michael.Jones@microsoft.com>
>To: George Fletcher <gffletch@aol.com> 
>Cc: "oauth@ietf.org" <oauth@ietf.org> 
>Sent: Friday, June 15, 2012 10:30 AM
>Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
> 
>
> 
>I was asked a question off-list, which I think is worth answering on-line.  The question was:  Why the Tab character, rather than %-encoding?
> 
>Introducing % encoding would break all existing OAuth 2.0 deployments using HTTP Basic.  A non-starter…
> 
>Tab is legal in HTTP Basic but not in URLs or presently client_ids.  It’s also a character that can be visibly rendered in an acceptable manner for debugging.  The other choices were CR and LF, which are also legal in HTTP Basic but wouldn’t render very nicely. ;-)
> 
>                                                            Cheers,
>                                                            -- Mike
> 
>From:Mike Jones 
>Sent: Friday, June 15, 2012 9:30 AM
>To: 'Eran Hammer'
>Cc: George Fletcher; oauth@ietf.org
>Subject: RE: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
> 
>I agree with Eran that I prefer that this not be underspecified and that an encoding for just colon for just Basic will suffice.
> 
>I’d suggested the encoding s/:/<tab>/g as a strawman.  Are there any other encoding proposals?
> 
>                                                            -- Mike
> 
>From:Eran Hammer [mailto:eran@hueniverse.com] 
>Sent: Friday, June 15, 2012 9:26 AM
>To: Mike Jones
>Cc: George Fletcher; oauth@ietf.org
>Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
> 
>We should not leave this under specified. Picking an encoding for just Basic and just colon is simple enough. 
> 
>EH
>
>On Jun 15, 2012, at 19:17, "Mike Jones" <Michael.Jones@microsoft.com> wrote:
>Based on use cases I’m seeing, believe it’s important to allow the use of URIs as client_id values (which means allowing “:” in the client_id string).  I’m OK with us either specifying a specific encoding when using them in Basic or simply saying that “When client_ids are used with HTTP Basic that contain characters such as “:” not allowed in HTTP Basic usernames, then the participants will need to agree upon a method of encoding the client_id for use with HTTP Basic.
>> 
>>                                                            -- Mike
>> 
>>From:oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of George Fletcher
>>Sent: Friday, June 15, 2012 8:48 AM
>>To: oauth@ietf.org
>>Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
>> 
>>+1 for a simple encoding and allowing ':' in the client_id
>>
>>On 6/13/12 6:53 PM, Amos Jeffries wrote: 
>>On 14.06.2012 06:40, John Bradley wrote: 
>>
>>
>>That would probably work as well.  That is why I am not particularly 
>>concerned about excluding the : 
>>
>>We originally used the URI itself,  mostly for convenience of 
>>debugging,  but there are other potential options. 
>>
>>The authorization server needs to compare the client_id and the 
>>redirect uri. But it could compare the hash with not much more work. 
>>Also a sha256 hash is probably longer than the uri it is hashing. 
>>
>>I am not super concerned with being able to have : in the client_id 
>>
>>John B. 
>>
>>
>>If I'm following all these threads correctly the only explicit problem with URI in client_id is HTTP username field being : terminated. 
>>As such it does not have to be a hash per-se, just an encoding that removes ":" and other reserved characters from the on-wire form *when sent via HTTP*. 
>>
>>AYJ 
>>
>>_______________________________________________ 
>>OAuth mailing list 
>>OAuth@ietf.org 
>>https://www.ietf.org/mailman/listinfo/oauth 
>>
>>
>> 
>_______________________________________________
>>OAuth mailing list
>>OAuth@ietf.org
>>https://www.ietf.org/mailman/listinfo/oauth
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.23.0 | Report a Bug | By Email