Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)

Torsten Lodderstedt <> Fri, 30 April 2010 08:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D48193A68D0 for <>; Fri, 30 Apr 2010 01:59:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.322
X-Spam-Status: No, score=-0.322 tagged_above=-999 required=5 tests=[AWL=-0.673, BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8Fs7If4viB56 for <>; Fri, 30 Apr 2010 01:59:51 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B5E8F3A67CF for <>; Fri, 30 Apr 2010 01:59:50 -0700 (PDT)
Received: from [] (helo=localhost) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <>) id 1O7m4N-0001Bm-PV; Fri, 30 Apr 2010 10:59:35 +0200
Received: from ( []) by (Horde Framework) with HTTP; Fri, 30 Apr 2010 10:59:35 +0200
Message-ID: <>
Date: Fri, 30 Apr 2010 10:59:35 +0200
From: Torsten Lodderstedt <>
To: Brian Eaton <>
References: <> <> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <> <> <> <> <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; DelSp="Yes"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Dynamic Internet Messaging Program (DIMP) H3 (1.1.2)
X-Df-Sender: 141509
Cc: "" <>
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Apr 2010 08:59:51 -0000

Zitat von Brian Eaton <>:

> On Thu, Apr 29, 2010 at 2:40 PM, Mike Moore <> wrote:
>> On Thu, Apr 29, 2010 at 2:49 PM, Yaron Goland <> wrote:
>>> Can we please just have one format, not 3? The more choices we give the
>>> more interoperability suffers.
> Yes.  The number of parsers needed to make a working system is
> important.  The spec has too many already.
> I'd like to see authorization servers returning JSON or XML, since
> that's what the resource servers are doing.
> ...and given a choice between JSON and XML, I'd pick JSON.

I agree. At Deutsche Telekom, we try to align our authorization APIs with the
APIs provided by the resource servers. Authorization is "just" a small, but
important, portion of the overall process and aligning it with the rest
increases acceptance and decreases error rate.

None of the APIs we provide uses form encoding, most of them use JSON,  
some XML.
Based on that observation I would like to see at least JSON support in OAuth.
So JSON as the only would be fine with me.

My proposal is based on the observation that the WG did not come to a  
about the one and only format.

I have collected the following opinions from the thread:

pro additional support for JSON and XML - Marius Scurtescu, John  
Jawed, Richard Barnes, Brian Eaton, Torsten Lodderstedt
pro additional support for JSON - Dick Hardt (initiated the thread),  
Joseph Smarr
still support application/x-www-form-urlencoded (unclear whether  
exclusively) - David Recordon, Gaurav Rastogi
one format only (preference unclear) - Yaron Goland
JSON as the only format (if forced to decide for a single format) -  
Brian Eaton, Torsten Lodderstedt
JSON as the only format - James Manger, Robert Sayre
application/x-www-form-urlencoded as the only format - Mike Moore
JSON for responses as well - Marius Scurtescu

Here are some representative comments from the thread:

Joseph Smarr - "JSON is already widely supported (presumably including  
by most APIs that you're building OAuth support to be able to access!"

David Recordon - "it's drastically more complex for environments (like  
embedded hardware)
which doesn't support JSON."

Paul C. Bryan - "I'm struggling to imagine hardware that on the one  
hand would support
OAuth, but on the other would be incapable of supporting JSON..."

Gaurav Rastogi - "There are enough number of small embedded software  
stack where JSON is not an option."

So we have at least 9 votes pro JSON, but also 1 vote for  
application/x-www-form-urlencoded only.

How shall we proceed? Can we come to a consensus?


> Cheers,
> Brian
> _______________________________________________
> OAuth mailing list