IETF Logo Mail Archive

Re: [OAUTH-WG] What to do about 'realm'

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 12 July 2010 03:29 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 776823A6A4C for <oauth@core3.amsl.com>; Sun, 11 Jul 2010 20:29:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.392
X-Spam-Level:
X-Spam-Status: No, score=-3.392 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599, GB_I_LETTER=-2]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r+XabsG+yE0w for <oauth@core3.amsl.com>; Sun, 11 Jul 2010 20:29:17 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 236A23A6A4B for <oauth@ietf.org>; Sun, 11 Jul 2010 20:29:17 -0700 (PDT)
Received: (qmail 26796 invoked from network); 12 Jul 2010 03:29:24 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 12 Jul 2010 03:29:24 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Sun, 11 Jul 2010 20:29:24 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Robert Sayre <sayrer@gmail.com>
Date: Sun, 11 Jul 2010 20:29:20 -0700
Thread-Topic: [OAUTH-WG] What to do about 'realm'
Thread-Index: AcshSOL6JwAvEJ6aRee408FuofcKvwAKYcaZ
Message-ID: <C85FDA20.3701A%eran@hueniverse.com>
In-Reply-To: <AANLkTil8wp2A6JN_td7hwSAttPH6dG_U6PPakb6-vlsb@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] What to do about 'realm'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2010 03:29:19 -0000

On 7/11/10 3:32 PM, "Robert Sayre" <sayrer@gmail.com> wrote:

> On Sun, Jul 11, 2010 at 12:27 PM, Eran Hammer-Lahav <eran@hueniverse.com>
> wrote:
>> [this has noting to do with realm]
>> 
>> Any solution should be:
>> 
>> - Extensible ­ we removed the few discovery parameters from the core spec
>> due to lack of maturity and consensus. However, we clearly have enough
>> strong interest in reintroducing them as extensions. The WWW-Authenticate
>> header is the natural place to include them.
> 
> This is true. I thought it obvious that implementations would be
> required to deal with text after the "OAuth2" string.

Yes. We need a format that can be extended. Of course, using JSON means much
richer extensibility which needs some adjustment in the registry (maybe only
require registration for top level object names?).

>> - Human-friendly ­ I think being able to look at the header and immediately
>> see what it means is useful.
> 
> I'm not sure this is valuable, but it is possible to accomodate the
> concern anyway. I use a protocol analyzer, like WireShark.

I think being able to curl a site and work your way manually is useful and
something that was a stated goal when we started collecting 2.0
requirements. This was one of the reasons why the bearer token approach was
so attractive to so many people.

>> Is there a JSON profile suitable for inclusion
>> in HTTP headers? I would like to avoid BASE64 when a person is likely to
>> take a look at the header. Otherwise debugging and command line interaction
>> become impractical.
> 
> The WG could specify that all control characters and non-ASCII text
> within the JSON text be escaped. base64 adds overhead to the endeavor,
> so it's probably best to avoid it, because most of the bits will be
> ASCII anyway.

Works for me.

> If browser clients need to set headers in the same manner, this could
> be more inconvenient, because the JSON serializers shipping in
> browsers today don't support requiring that the produced text be
> escaped. This can be done as a follow-up pass, though. [0]

I am not worried about client requests because there is less to debug on
that side (most issues are when the client is trying to debug on its side
and can easily add helpful information locally). I want to make sure that
the server response using the WWW-Authenticate header is plain-text and not
some encoded blob.

However, we still need to worry about HTTP header restrictions and I am not
sure what a browser will do when you try to set an HTTP header with
non-ascii characters.

> Using a JSON serialization neatly sidesteps several i18n issues. If
> you go with traditional HTTP header syntax, you'll need to deal with
> that some other way. btw, it just so happens that internationalization
> of Realm values is a bug in most RFC2617 implemenations.

It would be great to avoid having to use stuff like
draft-reschke-rfc2231-in-http, but that seems to be the current solution.

EHL

> 
> [0] (I happen to be on the ECMAScript committee, and I can be blamed
> for Mozilla's native JSON object. It would be technically easy to add
> a JSON.stringifyAsASCII() method, and I think the committee will go
> for it.)
> 
> 
> 
> --
> 
> Robert Sayre
> 
> "I would have written a shorter letter, but I did not have the time."
>

v2.39.1 | Report a Bug | By Email | System Status