IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments

"Manger, James H" <James.H.Manger@team.telstra.com> Wed, 12 October 2011 00:07 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3DEC21F8CCE for <oauth@ietfa.amsl.com>; Tue, 11 Oct 2011 17:07:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.156
X-Spam-Level:
X-Spam-Status: No, score=-1.156 tagged_above=-999 required=5 tests=[AWL=-0.256, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M7w8LG8jJqsQ for <oauth@ietfa.amsl.com>; Tue, 11 Oct 2011 17:07:02 -0700 (PDT)
Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) by ietfa.amsl.com (Postfix) with ESMTP id 7741421F8C0C for <oauth@ietf.org>; Tue, 11 Oct 2011 17:07:01 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="4.68,526,1312120800"; d="scan'208,217"; a="48282630"
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipobni.tcif.telstra.com.au with ESMTP; 12 Oct 2011 11:06:59 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,6496"; a="39792852"
Received: from wsmsg3702.srv.dir.telstra.com ([172.49.40.170]) by ipcani.tcif.telstra.com.au with ESMTP; 12 Oct 2011 11:06:59 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3702.srv.dir.telstra.com ([172.49.40.170]) with mapi; Wed, 12 Oct 2011 11:06:58 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: William Mills <wmills@yahoo-inc.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Wed, 12 Oct 2011 11:06:57 +1100
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments
Thread-Index: AcyIMbz/pD1K/+xISKG9vIYfi9i0rQAOTx5A
Message-ID: <255B9BB34FB7D647A506DC292726F6E1129072392A@WSMSG3153V.srv.dir.telstra.com>
References: <20110727131700.23436.11568.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739434986822D@TK5EX14MBXC202.redmond.corp.microsoft.com> <CAC4RtVBx-WrxbXE-DxvEp3EsE3q6oEcrv9XWxteB11AjPMK3Hg@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E11289635128@WSMSG3153V.srv.dir.telstra.com> <1314767698.36186.YahooMailNeo@web31808.mail.mud.yahoo.com> <255B9BB34FB7D647A506DC292726F6E1128DB1DE6E@WSMSG3153V.srv.dir.telstra.com> <1318350042.89721.YahooMailNeo@web31810.mail.mud.yahoo.com>
In-Reply-To: <1318350042.89721.YahooMailNeo@web31810.mail.mud.yahoo.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E1129072392AWSMSG3153Vsrv_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2011 00:07:03 -0000

>> 2. The ABNF for <credentials> does not comply with RFC 2617 "HTTP Authentication".

> So where are we on this?  Any progress?

Some progress.
draft-ietf-oauth-v2-bearer-09 defines the “Authorization: Bearer ...” request header to match draft-ietf-httpbis-p7-auth. It uses <b64token> for the access token.
The spec is not quite right as it also includes a comma-separated list of name=value pairs <#auth-param> as another option for the header, without any hint about how this works for the Bearer scheme.

Still to do:
Change
credentials = "Bearer" 1*SP ( b64token / #auth-param )
to
credentials = "Bearer" 1*SP b64token
It would also be worth explicitly stating the restrictions on access tokens that the Bearer scheme applies over what OAuth core allows, which is any Unicode string. The Bearer spec requires an access token to match <b64token>. This does not have to be base64 (or base64url), but it can only use 68 ASCII chars (plus “=”’s at the end). Section 4.1.1 “The “Bearer” OAuth Access Token Type” is probably the place to mention the restrictions. Suggested text:

  “When the type is “bearer” the “access_token” value MUST match the <b64token> ABNF [draft-ietf-httpbis-p7-auth], which allows the 66 unreserved URI characters plus a few others so it can hold a base64 or base64url encoding [RFC4648]. Using a base64url encoding without padding (or a few base64url encoded items separated by dots) is RECOMMENDED as it avoids the need for any escaping in most situations.”

Probably need to add RFC 4648 “The Base16, Base32, and Base64 Data Encodings” as an informative reference if including this suggested text.

--
James Manger

v2.23.0 | Report a Bug | By Email