IETF Logo Mail Archive

Re: [OAUTH-WG] Issue 18: defining new response types

Eran Hammer-Lahav <eran@hueniverse.com> Fri, 15 July 2011 17:46 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD78521F8B9B for <oauth@ietfa.amsl.com>; Fri, 15 Jul 2011 10:46:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.991
X-Spam-Level:
X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[AWL=-0.593, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, J_CHICKENPOX_54=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRtAywVflbWa for <oauth@ietfa.amsl.com>; Fri, 15 Jul 2011 10:46:11 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 220A121F8B98 for <oauth@ietf.org>; Fri, 15 Jul 2011 10:46:11 -0700 (PDT)
Received: (qmail 14429 invoked from network); 15 Jul 2011 17:46:09 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 15 Jul 2011 17:46:09 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Fri, 15 Jul 2011 10:45:17 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Fri, 15 Jul 2011 10:44:59 -0700
Thread-Topic: Issue 18: defining new response types
Thread-Index: AcxDENqXuaYCpIOoRa64SYPrJbbZ6AAAXdKgAAAdeoAAAPGm8A==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234501D6E024B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4E1F6AAD24975D4BA5B168042967394348D4BAD0@TK5EX14MBXC201.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E7234501D6E0238@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E1F6AAD24975D4BA5B168042967394348D4BCC4@TK5EX14MBXC201.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394348D4BCC4@TK5EX14MBXC201.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234501D6E024BP3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Issue 18: defining new response types
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2011 17:46:12 -0000

I was only arguing against the proposed text which doesn't accomplish what you want from a normative perspective. I can easily address the use case with very short prose but I would like to see more working group discussion about it first.

Seems like WG members representing three large OAuth implementations (Facebook, Google, Microsoft) are very supportive. Does anyone objects to making the change to allow space-delimited values in the response_type parameter? Once we get consensus on that, I can proceed to offer a proposal. The main difficulty is how to deal with errors.

EHL

From: Mike Jones [mailto:Michael.Jones@microsoft.com]
Sent: Friday, July 15, 2011 10:16 AM
To: Eran Hammer-Lahav; oauth@ietf.org
Subject: RE: Issue 18: defining new response types

Yes, that's the intent of the change

From: Eran Hammer-Lahav [mailto:eran@hueniverse.com]<mailto:[mailto:eran@hueniverse.com]>
Sent: Friday, July 15, 2011 10:14 AM
To: Mike Jones; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: RE: Issue 18: defining new response types

You can't have it both way. Either it is a simple string comparison or it requires parsing of the string. The current prose is designed to offer a visual cue without making any code changes to how response types are compared. To allow different orders, we have to turn the value to a parsed list.

EHL

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org]<mailto:[mailto:oauth-bounces@ietf.org]> On Behalf Of Mike Jones
Sent: Friday, July 15, 2011 10:02 AM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [OAUTH-WG] Issue 18: defining new response types

I agree that this functionality is needed.  However, I believe its current embodiment is overly restrictive.  I would suggest changing this text:

Only one response type of each combination may be registered and used for making requests. Composite response types are treated and compared in the same as manner as non-composite response types. The "+" notation is meant only to improve human readability and is not used for machine parsing.

For example, an extension can define and register the token+code response type. However, once registered, the same combination cannot be registered as code+token, or used to make an authorization request.
to this:

The order of the composite response type values is not significant.  For instance, the composite response types token+code and code+token are equivalent.  Each composite response type value MUST occur only once.
                                                                Thanks,
                                                                -- Mike

v2.34.0 | Report a Bug | By Email | System Status