IETF Logo Mail Archive

Re: [OAUTH-WG] Proposed change to section 8.4. Defining New Authorization Endpoint Response Types

Eran Hammer-Lahav <eran@hueniverse.com> Tue, 19 July 2011 16:08 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F66B21F8582 for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2011 09:08:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.583
X-Spam-Level:
X-Spam-Status: No, score=-2.583 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RcF+EHJ32dGF for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2011 09:07:59 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 7E11821F856D for <oauth@ietf.org>; Tue, 19 Jul 2011 09:07:59 -0700 (PDT)
Received: (qmail 28934 invoked from network); 19 Jul 2011 16:07:58 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 19 Jul 2011 16:07:58 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Tue, 19 Jul 2011 09:07:37 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Aiden Bell <aiden449@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Tue, 19 Jul 2011 09:07:12 -0700
Thread-Topic: [OAUTH-WG] Proposed change to section 8.4. Defining New Authorization Endpoint Response Types
Thread-Index: AcxGCGm3P4qaZ5YTTP6j1ml/1EGPxwAJFgSA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234501D6E0715@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E7234501D6E0653@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CA+5SmTUHyo03svC+90s5D9oLzh75WRU6AfJ_opSzwiKXMUThKQ@mail.gmail.com>
In-Reply-To: <CA+5SmTUHyo03svC+90s5D9oLzh75WRU6AfJ_opSzwiKXMUThKQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234501D6E0715P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Proposed change to section 8.4. Defining New Authorization Endpoint Response Types
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2011 16:08:03 -0000

You understood it perfectly.

Developers should focus only on the text in section 3.1.1, not 8.4 which is meant for extension authors and DE(s). Please review the proposed text for 3.1.1 and let me know if it provides you with all the information you need in order to implement the protocol.

I don't like the term collection. The meaning is very simple:

* registered response types can include spaces
* if a response type contains spaces, the order of its space-delimited values does not matter
* because order does not matter, only one order of each combination can be registered, but all can be used

There are no other implied requirements. You don't need to register the parts individually, only the combination.

EHL


From: Aiden Bell [mailto:aiden449@gmail.com]
Sent: Tuesday, July 19, 2011 4:39 AM
To: Eran Hammer-Lahav; oauth@ietf.org
Subject: Re: [OAUTH-WG] Proposed change to section 8.4. Defining New Authorization Endpoint Response Types


I think the wording is much improved here with regards implied relationships between composite and non-composite types.

However, given this new found unambiguity, I think the use of the term "composite response types" is misleading, as what is being described is
just a characteristics of "identifiers containing spaces". This newest 8.3 doesn't state if elements in the collection MUST also be registered.
This leads me to (correctly?) think I can register a list of elements where the components may or may not be registered themselves.
In this case, we have a registered list of response type identifiers rather than a list of response types registered.

I would propose the following modification, which puts the policy-ish term of "compounding"
elements, more in the realm of registration, as the term "compounding" seems to imply compound semantics, but the
registration part has a mechanism-not-policy approach.


   The space character (%x20) is reserved for defining a collection of response type identifiers.
   Each collection of response type identifiers MUST be registered, even if each of its components
   are individually registered. The order of components in a response type identifier collection
   does not matter. The meaning of unregistered collections of response type identifiers made up of
   individually registered values is undefined.

   For example, the response type "token code" is left undefined by this specification.
   However, an extension can define and register the "token code" response type identifier collection
   and its composite behavior.
   Once registered, the same combination cannot be registered as "code token", but
   both values can be used to make an authorization request, and refer to the same
   response type.

Apologies if this is unsuitable, i'm just looking at it as an implementor and questioning my own assumptions,
then trying to make the text clearer. The validity of my assumptions isn't presumed.

Thanks,
Aiden Bell
On 19 July 2011 07:21, Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote:
I have tried to accommodate both the use cases and concerns raised. The new text allows the registration of composite response types in which the order of the space-delimited values does not matter. However, every combination must be registered in order to avoid developers guessing what an unregistered combination might mean.

Feedback requested.

EHL

---

8.4.  Defining New Authorization Endpoint Response Types

   New response types for use with the authorization endpoint are
   defined and registered in the authorization endpoint response type
   registry following the procedure in Section 11.3.  Response type
   names MUST conform to the response-type ABNF.

     response-type  = response-name *( SP response-name )
     response-name  = 1*response-char
     response-char  = "_" / DIGIT / ALPHA

   The space character (%x20) is reserved for defining composite response types.
  Each composite response types MUST be registered, even if each of its components
   are individually registered. The order of components in a composite response type
   does not matter. The meaning of unregistered composite response types made up of
   individually registered values is undefined.

   For example, the response type "token code" is left undefined by this specification.
   However, an extension can define and register the "token code" response type.
  Once registered, the same combination cannot be registered as "code token", but
   both values can be used to make an authorization request, and refer to the same
   response type.

Also, change the definition of response_type in section 3.1.1:

   response_type
         REQUIRED.  The value MUST be one of "code" for requesting an
         authorization code as described by Section 4.1.1, "token" for
         requesting an access token (implicit grant) as described by
         Section 4.2.1, or a registered extension value as described by
         Section 8.4. A value containing one or more space characters (%x25)
         identifies a composite response type in which the order of the
         space-delimited sub-values does not matter.



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
------------------------------------------------------------------
Never send sensitive or private information via email unless it is encrypted. http://www.gnupg.org

v2.35.0 | Report a Bug | By Email | System Status