Re: [OAUTH-WG] Rename callback => callback_uri

Eran Hammer-Lahav <eran@hueniverse.com> Fri, 16 April 2010 21:12 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5424E3A6978 for <oauth@core3.amsl.com>; Fri, 16 Apr 2010 14:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.462
X-Spam-Level:
X-Spam-Status: No, score=-2.462 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Syhvk-MHFtQU for <oauth@core3.amsl.com>; Fri, 16 Apr 2010 14:11:59 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 8A8A13A6807 for <oauth@ietf.org>; Fri, 16 Apr 2010 14:11:59 -0700 (PDT)
Received: (qmail 29834 invoked from network); 16 Apr 2010 21:11:52 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 16 Apr 2010 21:11:51 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Fri, 16 Apr 2010 14:11:51 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Evan Gilbert <uidude@google.com>
Date: Fri, 16 Apr 2010 14:11:48 -0700
Thread-Topic: [OAUTH-WG] Rename callback => callback_uri
Thread-Index: Acrdp3ASPx8PS91vR0GrzXmHb56TcwAAfzZf
Message-ID: <C7EE20A4.32439%eran@hueniverse.com>
In-Reply-To: <y2sc8689b661004161357v88c08c80oee6c33339f2493a1@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C7EE20A432439eranhueniversecom_"
MIME-Version: 1.0
Cc: Naitik Shah <naitik@facebook.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Rename callback => callback_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2010 21:12:08 -0000

I'll just go with redirect_uri.

EHL


On 4/16/10 1:57 PM, "Evan Gilbert" <uidude@google.com>; wrote:



On Fri, Apr 16, 2010 at 1:45 PM, Eran Hammer-Lahav <eran@hueniverse.com>; wrote:
We should use the right term, not just the less conflicting term.

The Web Callback flow uses a callback from the server to the client - this is not a redirection. The User-Agent flow uses a redirection which is fundamentally different from a callback.


   callback
         An absolute URI to which the authorization server will redirect
         the end user back when the end user authorization step is
         completed.  The authorization server MAY require the client to
         pre-register their callback URI.


   redirection
         An absolute URI to which the authorization server will redirect
         the user-agent to when the end user authorization step is
         completed.  The authorization server SHOULD require the client
         to pre-register their redirection URI.

These look the same to me, and "redirect_uri/url" works. Open to other terms.



If you don't want to use callback and want to use the same name for both, it needs to be something more generic like client_uri.

EHL


On 4/16/10 12:11 PM, "Naitik Shah" <naitik@facebook.com <http://naitik@facebook.com> > wrote:

+1 for redirect_uri -- highest semantic value imho.


-Naitik



On Apr 16, 2010, at 12:05 PM, Evan Gilbert wrote:

> We should use the same name in the User-Agent and Web Callback flows. Also, although the authorization server won't be allowing JSONP requests, "callback" has become a bit of a defacto standard for JSONP and it would be nice to use a term that isn't overloaded?
>
> Can we make them both "redirection"? Even better, maybe "redirect_uri"?
>
> On Fri, Apr 16, 2010 at 9:50 AM, Luke Shepard <lshepard@facebook.com <http://lshepard@facebook.com> > wrote:
> Facebook API requests are protected resources. They can be called either in a browser or in a server-to-server environment.
>
> For example, a JSONP call for my name looks like this:
>
>        https://api.facebook.com/restserver.php?api_key=361900759629&call_id=1271436355034&callback=FB.RestServer._callback&format=json&method=fql.query&query=SELECT%20name%20FROM%20user%20WHERE%20uid%3D2901279&v=1.0
>
> The output (you can play with it here: http://fbrell.com/fb.api/everyone-data ):
>
>        FB.RestServer._callback([{"name":"Luke Shepard"}]);
>
> If we want that protected resource to take an access token as well, then it would look like:
>
>        https://api.facebook.com/restserver.php?....&callback=FB.RestServer._callback&access_token=ACCESS_TOKEN
>
> The "callback" parameter is used pretty universally for JSONP requests. For instance, see the Jquery docs: http://api.jquery.com/jQuery.getJSON/
>
> -----Original Message-----
> From: Richard Barnes [mailto:rbarnes@bbn.com]
> Sent: Friday, April 16, 2010 9:10 AM
> To: Luke Shepard
> Cc: Eran Hammer-Lahav; Naitik Shah; OAuth WG
> Subject: Re: [OAUTH-WG] Rename callback => callback_uri
>
> Could you clarify a little more the environment in which this
> confusion arose?  What do you mean when you say "The protected
> resource typically accepts 'callback' as a parameter to support
> JSONP."?  What sort of software are you including in this?
>
> --Richard
>
>
> On Apr 15, 2010, at 5:41 PM, Luke Shepard wrote:
>
> > We already had one developer try it out and get confused because the
> > server tried to treat the callback URL as a JSONP callback.
> >
> > The protected resource typically accepts "callback" as a parameter
> > to support JSONP. If a developer accidentally passes in callback
> > there (maybe they got confused) then the server can't give a normal
> > error message - instead it needs to either detect that it looks like
> > a URL or otherwise reject it.
> >
> > On a related note, I think it's more confusing calling it something
> > different in the user-agent flow (redirector) when it's essentially
> > doing the same thing.
> >
> >
> > From: oauth-bounces@ietf.org <http://oauth-bounces@ietf.org>  [mailto:oauth-bounces@ietf.org] On
> > Behalf Of Eran Hammer-Lahav
> > Sent: Thursday, April 15, 2010 5:37 AM
> > To: Naitik Shah; OAuth WG
> > Subject: Re: [OAUTH-WG] Rename callback => callback_uri
> >
> > I don't think it is that confusing. Its a completely different
> > context from where JSON-P is used (note that in the User-Agent flow
> > it is called something else).
> >
> > EHL
> >
> >
> > On 4/10/10 12:35 PM, "Naitik Shah" <naitik@facebook.com <http://naitik@facebook.com> > wrote:
> >
> > With the simplified params, the callback url parameter is now just
> > "callback". Since most major API providers already use "callback" to
> > signify JSON-P callback, can we rename this to "callback_uri"? This
> > will help avoid collisions and confusion.
> >
> >
> > -Naitik
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org <http://OAuth@ietf.org>
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org <http://OAuth@ietf.org>
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <http://OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org <http://OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth