IETF Logo Mail Archive

Re: [OAUTH-WG] Facebook updates to Draft 10

Eran Hammer-Lahav <eran@hueniverse.com> Fri, 10 September 2010 23:55 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4ACD13A6914 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 16:55:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.488
X-Spam-Level:
X-Spam-Status: No, score=-2.488 tagged_above=-999 required=5 tests=[AWL=0.111, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ia9UDRNBVdTO for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 16:55:52 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 8F9B13A67C2 for <oauth@ietf.org>; Fri, 10 Sep 2010 16:55:52 -0700 (PDT)
Received: (qmail 10078 invoked from network); 10 Sep 2010 23:56:19 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Sep 2010 23:56:18 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Fri, 10 Sep 2010 16:56:18 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Olivier POITREY <rs@dailymotion.com>
Date: Fri, 10 Sep 2010 16:56:14 -0700
Thread-Topic: [OAUTH-WG] Facebook updates to Draft 10
Thread-Index: ActRGc8Pr7Zz1vUXS0ao57hovY60ZAAKcFCw
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343B3F3F09E9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <116056AD-0AC4-4BD9-BCF4-C4D2A75CF9D6@facebook.com> <2ED35478-18D0-452C-AF4C-C5556809A97A@dailymotion.com> <90C41DD21FB7C64BB94121FBBC2E72343B3F3F06F1@P3PW5EX1MB01.EX1.SECURESERVER.NET> <0B05EEEA-0DDE-4357-9E19-0AD2817CDC09@dailymotion.com>
In-Reply-To: <0B05EEEA-0DDE-4357-9E19-0AD2817CDC09@dailymotion.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Facebook updates to Draft 10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2010 23:55:54 -0000

The character is allowed, but query parameter encoding does now. Clearly, people have been sending and accepting comma despite the fact that they should be encoded. The reason why we chose spaces and not commas is to allow the scope to be a list of URIs which is used by a few companies.

EHL

> -----Original Message-----
> From: Olivier POITREY [mailto:rs@dailymotion.com]
> Sent: Friday, September 10, 2010 11:58 AM
> To: Eran Hammer-Lahav
> Cc: Paul Tarjan; OAuth WG
> Subject: Re: [OAUTH-WG] Facebook updates to Draft 10
> 
> Are you sure ?
> 
> http://stackoverflow.com/questions/2366260/whats-valid-and-whats-not-
> in-a-uri-query/2375597#2375597
> 
> 
> On 10 sept. 2010, at 17:00, Eran Hammer-Lahav <eran@hueniverse.com>
> wrote:
> 
> > That's not true. Both spaces and commas have to be encoded in form-
> encoded query parameters.
> >
> > EHL
> >
> >> -----Original Message-----
> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> >> Behalf Of Olivier POITREY
> >> Sent: Friday, September 10, 2010 1:47 AM
> >> To: Paul Tarjan
> >> Cc: OAuth WG
> >> Subject: Re: [OAUTH-WG] Facebook updates to Draft 10
> >>
> >> Hi Paul,
> >>
> >> Your implementation (and most other oAuth 2.0 implementations I've
> >> seen so far) are not using whitespace delimiter for the scope field.
> >> As I'm currently working on an oAuth 2.0 implementation for
> >> Dailymotion, I'm wondering why nobody seems to follow this part of
> >> the spec and use comas instead of whitespaces. Note that I would
> >> prefer coma over whitespace, whitespace have to be encoded and I find
> it a bit counter intuitive for this field.
> >>
> >> Best,
> >>
> >>
> >> On 9 sept. 2010, at 20:43, Paul Tarjan wrote:
> >>
> >>> Hi Fellow OAuthers,
> >>>
> >>> We just updated our Graph API's OAuth2 implementation to be draft 10
> >> complaint. Yay!
> >>>
> >>> Well, I should say we are pretty close to draft 10. Some places we differ:
> >>>
> >>> * For now errors are not in the standard format :( This would break
> >> backwards compatibility and existing applications, so we are only
> >> going to turn it on for opted in applications until the spec is
> >> finalized. If anyone wants to use the new formats, send me your
> Facebook app's ID and I'll opt you in.
> >>> * if grant_type is not included, it is assumed to be "authorization_code"
> >> since that is what draft-00 did.
> >>> * If response_type is not included, it is assumed to be "code" since
> >>> that is
> >> what draft-00 did.
> >>>
> >>> When the spec is finalized, we plan on doing a single opt-in
> >>> migration for all
> >> non-backwards compatible changes. New application will be
> >> automatically on the final version, and older applications will have a time
> period to update.
> >>>
> >>> Some new things you can do:
> >>>
> >>> Here are a few links showing some of the new parameters to help you
> >>> with
> >> discovery:
> >>> code_and_token:
> >>>
> >>
> http://graph.facebook.com/oauth/authorize?client_id=150629244948164&r
> >> e
> >>
> direct_uri=http://paulisageek.com/facebook/app/&response_type=code_a
> >> nd_token
> >>> token:
> >>>
> >>
> http://graph.facebook.com/oauth/authorize?client_id=150629244948164&r
> >> e
> direct_uri=http://paulisageek.com/facebook/app/&response_type=token
> >>> new error format:
> >>>
> >>
> http://graph.facebook.com/oauth/access_token?client_id=15062924494816
> >> 4&redirect_uri=http://paulisageek.com/facebook/app/
> >>> error redirects:
> >>>
> >>
> http://graph.facebook.com/oauth/authorize?client_id=150629244948164&r
> >> e
> >>
> direct_uri=http://paulisageek.com/facebook/app/&grant_type=junky_junk
> >>>
> >>> Feel free to ask questions and let me know if there are any places
> >>> you
> >> don't think we are spec complaint. We plan on keeping up with changes
> >> as we all run this last mile to the final version.
> >>>
> >>> Thanks!
> >>> Paul
> >>>
> >>> _______________________________________________
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email