IETF Logo Mail Archive

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Pid <pid@pidster.com> Mon, 10 May 2010 08:12 UTC

Return-Path: <pid@pidster.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE6CA28C149 for <oauth@core3.amsl.com>; Mon, 10 May 2010 01:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxP+fz4d+vLO for <oauth@core3.amsl.com>; Mon, 10 May 2010 01:12:20 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 2735A3A6B7F for <oauth@ietf.org>; Mon, 10 May 2010 01:11:28 -0700 (PDT)
Received: by wyb39 with SMTP id 39so879495wyb.31 for <oauth@ietf.org>; Mon, 10 May 2010 01:11:14 -0700 (PDT)
Received: by 10.216.163.4 with SMTP id z4mr2152480wek.83.1273479074409; Mon, 10 May 2010 01:11:14 -0700 (PDT)
Received: from Phoenix.local (cpc2-lewi13-2-0-cust269.2-4.cable.virginmedia.com [86.14.119.14]) by mx.google.com with ESMTPS id g17sm1383982wee.5.2010.05.10.01.11.13 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 10 May 2010 01:11:13 -0700 (PDT)
Message-ID: <4BE7BF9A.2050209@pidster.com>
Date: Mon, 10 May 2010 09:11:06 +0100
From: Pid <pid@pidster.com>
Organization: Pidster Inc
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: OAuth WG <oauth@ietf.org>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <C2C2CB2C-F8A9-4713-A74F-558CC7278D1C@alkaline-solutions.com> <v2mc334d54e1005092357xa9a5fa2en78210a50221815df@mail.gmail.com>
In-Reply-To: <v2mc334d54e1005092357xa9a5fa2en78210a50221815df@mail.gmail.com>
X-Enigmail-Version: 1.0.1
OpenPGP: id=62590808
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig387AF95805772EA00417EEFF"
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: pid@pidster.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 08:12:22 -0000

On 10/05/2010 07:57, Joseph Smarr wrote:
>> 1. Server Response Format
> 
> I vote for B, though I could live with C. (A would make me sad though)
>
> We've had a healthy and reasonable debate about the trade-offs here, but
> I think the main counterargument for requiring JSON support is that it's
> not quite yet a "no-brainer" to have JSON support in all environments
> (e.g. iPhone libraries currently would need to statically link in an
> available JSON library), whereas the counterarguments for A are the
> well-documented problems properly decoding url-encoded params from OAuth
> 1.0, plus the fact that it's not a common response format, whereas JSON
> (and XML) are. Since I think JSON will continue to increase in use for
> at least the next several years, the pain associated with requiring JSON
> is likely to be  higher now than it will be in the future, and it's
> already low enough that we've had this debate about whether it's already
> acceptable or not-quite-yet. And JSON has been proven to "just work" in
> terms of avoiding encoding/decoding headaches in the wild, which for
> something like OAuth is really critical.

I don't believe this is an accurate summary.

I asked for someone in the pro-JSON camp to describe the technical
merits of that format over url encoded, but to date, there's no one who
has responded.


The options we've been offered seem contrived to support JSON, so
instead I propose a more logical alternative:

4. urlencoded as the default, with optional JSON and XML


p




>> 2. Client Authentication (in flows)
> 
> No strong opinion, but slight preference for A, perhaps with additional
> profiles to follow that support HTTP Basic/Digest if it really does
> become a problem in practice to do A. Main thing is that there *should*
> be some way for a client to exchange raw username/password credentials
> for a token, since this pattern is not going away anytime soon, and thus
> if we don't standardize it, we'll wish we had.
> 
> On Sun, May 9, 2010 at 11:39 PM, David Waite
> <david@alkaline-solutions.com <mailto:david@alkaline-solutions.com>> wrote:
> 
> 
>     On May 9, 2010, at 3:06 PM, Eran Hammer-Lahav wrote:
>>
>>     1. Server Response Format
>>
>>     After extensive debate, we have a large group in favor of using
>>     JSON as the only response format (current draft). We also have a
>>     smaller group but with stronger feelings on the subject that JSON
>>     adds complexity with no obvious value.
>>
>>     A. Form-encoded only (original draft)
>>     B. JSON only (current draft)
>>     C. JSON as default with form-encoded and XML available with an
>>     optional request parameter
> 
>     I'm for A or B, but not so hot about C. Specifically (to throw my 2c
>     into the pot):
> 
>     - if form-encoded form or XML is an optional feature for servers to
>     implement, then general-purpose client libraries cannot be built to
>     expect them to be there. 
>     - for that reason, it feels the alternate encodings are not there to
>     provide flexibility for client developers, but to allow
>     implementations of OAuth to use other encodings in their clients
>     (and support them in their servers) without the clients being
>     considered out of spec compliance.
>     - as a security protocol, implementations might be concerned about
>     reducing their overall vulnerability surface area. It is plausible
>     that implementors on both sides would be more apt to not implement
>     alternate protocols if it means importing and exposing three
>     libraries for creating/consuming the encoded forms.
> 
>>     ---
>>
>>     2. Client Authentication (in flows)
>>
>>     How should the client authenticate when making token requests? The
>>     current draft defines special request parameters for sending
>>     client credentials. Some have argued that this is not the correct
>>     way, and that the client should be using existing HTTP
>>     authentication schemes to accomplish that such as Basic.
>>
>>     A. Client authenticates by sending its credentials using special
>>     parameters (current draft)
>>     B. Client authenticated by using HTTP Basic (or other schemes
>>     supported by the server such as Digest)
> 
>     Prefer B.
> 
>     - David Waite
> 
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email