IETF Logo Mail Archive

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 20 May 2010 01:33 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3A023A67CC for <oauth@core3.amsl.com>; Wed, 19 May 2010 18:33:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.542
X-Spam-Level: *
X-Spam-Status: No, score=1.542 tagged_above=-999 required=5 tests=[AWL=-0.157, BAYES_50=0.001, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rLL+s6zWggJ7 for <oauth@core3.amsl.com>; Wed, 19 May 2010 18:33:20 -0700 (PDT)
Received: from ipxcno.tcif.telstra.com.au (ipxcno.tcif.telstra.com.au [203.35.82.208]) by core3.amsl.com (Postfix) with ESMTP id 3AAF43A6AE2 for <oauth@ietf.org>; Wed, 19 May 2010 18:33:18 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.53,267,1272808800"; d="scan'208";a="2885550"
Received: from unknown (HELO ipccni.tcif.telstra.com.au) ([10.97.216.208]) by ipocni.tcif.telstra.com.au with ESMTP; 20 May 2010 11:33:11 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,5987"; a="2221608"
Received: from wsmsg3753.srv.dir.telstra.com ([172.49.40.174]) by ipccni.tcif.telstra.com.au with ESMTP; 20 May 2010 11:33:11 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3753.srv.dir.telstra.com ([172.49.40.174]) with mapi; Thu, 20 May 2010 11:33:11 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Marius Scurtescu <mscurtescu@google.com>
Date: Thu, 20 May 2010 11:33:09 +1000
Thread-Topic: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
Thread-Index: Acr3tYANhdRahVCGTR2ja6uzRtucDQAAllwg
Message-ID: <255B9BB34FB7D647A506DC292726F6E112637B8285@WSMSG3153V.srv.dir.telstra.com>
References: <ADB082E11CEB5D49A3CC03E49DCECE02378CB8A679@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E72343B3B698808@P3PW5EX1MB01.EX1.SECURESERVER.NET> <7C01E631FF4B654FA1E783F1C0265F8C4A42BFCC@TK5EX14MBXC117.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B69895B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimiSqQjOsxDMxFGjIkP3xDQVHge6OJUPu9CYxHf@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B6989D0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <09A6EF98-7406-43D8-9B1C-C16E38CA35D1@gmail.com> <7C01E631FF4B654FA1E783F1C0265F8C4A4312FC@TK5EX14MBXC117.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B699132@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinlwZpM4PBHSR1t1whWR2p38PHq9VpcJw4p77vs@mail.gmail.com>
In-Reply-To: <AANLkTinlwZpM4PBHSR1t1whWR2p38PHq9VpcJw4p77vs@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2010 01:33:21 -0000

Marius,

> Only direct responses are JSON, form/url encoded
> still has to be used:
> - direct requests
> - through browser requests
> - through browser responses
> - through browser fragment responses

A better solution would be to change the last two (token info delivered in a callback URIs) so a single parameter (in the query or fragment) holds all the token info -- as a base64url-encoded JSON value.

That is more complicated if you are only delivering a single quantity (eg just an access_token). However, the difference diminishes as more and more features are added: expires_in, scope, sites, refresh_token, access_token_secret, realm, auth_scheme, whatever-comes-out-of-OpenID-Connect etc.

A single parameter for token info in callback URIs also reduces the risk of clashing with client-specific parameters in callback URIs as things are added in the future (eg the earlier debate about no oauth_ prefix).

It eliminates the need to force all semantics to fit in a flat key/value model. This can only get harder as features are added, or extensions are supported. The OpenID 2.0 approach of namespaces and parameter name prefixes is not pretty. JSON does not solve this, but its structure helps.

I wouldn't be surprised if, in some scenarios, the token info gets too big to fit in a URI. In that case even the user-agent flow will need to make a direct request to get the token info, which is more likely to be delivered as JSON. OpenID and SAML have found they need this (eg artefact flows).


Please consider this as an open issue for today's meeting: a single parameter holding a base64url-encode JSON value for packaging token info in a callback URI.

--
James Manger

v2.23.0 | Report a Bug | By Email