IETF Logo Mail Archive

Re: [OAUTH-WG] Proposed change to section 8.4. Defining New Authorization Endpoint Response Types

Aiden Bell <aiden449@gmail.com> Tue, 19 July 2011 11:38 UTC

Return-Path: <aiden449@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E57621F875E for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2011 04:38:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PuB75iRAg4mq for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2011 04:38:42 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5925F21F853B for <oauth@ietf.org>; Tue, 19 Jul 2011 04:38:42 -0700 (PDT)
Received: by qwc23 with SMTP id 23so3336134qwc.31 for <oauth@ietf.org>; Tue, 19 Jul 2011 04:38:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=vvKkrX8gASotrNG06pQN3f/ZHF25GrpfNs2v6glHv/s=; b=NCj2EC2qBVd8HPUOoMi6IhQixsjbrg6HAe6MdAWffbk6SZVu3rLgoU3AQUEp/A4TkT WLnPhbOvLJdZwhE6fonh1/td6knZtbhZXD4MwxOFm/o2QMFuYXMHZb69LREMHxx9HQmV MIdFprd8LBpmIu/+6JTPPv6AkzdnfLZEPXWGY=
MIME-Version: 1.0
Received: by 10.229.198.233 with SMTP id ep41mr5734024qcb.199.1311075520500; Tue, 19 Jul 2011 04:38:40 -0700 (PDT)
Received: by 10.229.14.42 with HTTP; Tue, 19 Jul 2011 04:38:40 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234501D6E0653@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E7234501D6E0653@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Tue, 19 Jul 2011 12:38:40 +0100
Message-ID: <CA+5SmTUHyo03svC+90s5D9oLzh75WRU6AfJ_opSzwiKXMUThKQ@mail.gmail.com>
From: Aiden Bell <aiden449@gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="001636d33ba7ac542704a86a8e8d"
Subject: Re: [OAUTH-WG] Proposed change to section 8.4. Defining New Authorization Endpoint Response Types
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2011 11:38:46 -0000

I think the wording is much improved here with regards implied relationships
between composite and non-composite types.

However, given this new found unambiguity, I think the use of the term
"composite response types" is misleading, as what is being described is
just a characteristics of "identifiers containing spaces". This newest 8.3
doesn't state if elements in the collection MUST also be registered.
This leads me to (correctly?) think I can register a list of elements where
the components may or may not be registered themselves.
In this case, we have a registered list of response type identifiers rather
than a list of response types registered.

I would propose the following modification, which puts the policy-ish term
of "compounding"
elements, more in the realm of registration, as the term "compounding" seems
to imply compound semantics, but the
registration part has a mechanism-not-policy approach.



   The space character (%x20) is reserved for defining a collection of
response type identifiers.

   Each collection of response type identifiers MUST be registered, even if
each of its components

   are individually registered. The order of components in a response type
identifier collection

   does not matter. The meaning of unregistered collections of response type
identifiers made up of

   individually registered values is undefined.



   For example, the response type “token code” is left undefined by this
specification.

   However, an extension can define and register the "token code" response
type identifier collection

   and its composite behavior.

   Once registered, the same combination cannot be registered as "code
token", but

   both values can be used to make an authorization request, and refer to
the same
   response type.

Apologies if this is unsuitable, i'm just looking at it as an implementor
and questioning my own assumptions,
then trying to make the text clearer. The validity of my assumptions isn't
presumed.

Thanks,
Aiden Bell

On 19 July 2011 07:21, Eran Hammer-Lahav <eran@hueniverse.com> wrote:

> I have tried to accommodate both the use cases and concerns raised. The new
> text allows the registration of composite response types in which the order
> of the space-delimited values does not matter. However, every combination
> must be registered in order to avoid developers guessing what an
> unregistered combination might mean. ****
>
> ** **
>
> Feedback requested.****
>
> ** **
>
> EHL****
>
> ** **
>
> ---****
>
> ** **
>
> 8.4.  Defining New Authorization Endpoint Response Types****
>
> ** **
>
>    New response types for use with the authorization endpoint are****
>
>    defined and registered in the authorization endpoint response type****
>
>    registry following the procedure in Section 11.3.  Response type****
>
>    names MUST conform to the response-type ABNF.****
>
> ** **
>
>      response-type  = response-name *( SP response-name )****
>
>      response-name  = 1*response-char****
>
>      response-char  = "_" / DIGIT / ALPHA****
>
> ** **
>
>    The space character (%x20) is reserved for defining composite response
> types.****
>
>   Each composite response types MUST be registered, even if each of its
> components****
>
>    are individually registered. The order of components in a composite
> response type****
>
>    does not matter. The meaning of unregistered composite response types
> made up of****
>
>    individually registered values is undefined.****
>
> ** **
>
>    For example, the response type “token code” is left undefined by this
> specification.****
>
>    However, an extension can define and register the "token code" response
> type.****
>
>   Once registered, the same combination cannot be registered as "code
> token", but****
>
>    both values can be used to make an authorization request, and refer to
> the same****
>
>    response type.****
>
> ** **
>
> Also, change the definition of response_type in section 3.1.1:****
>
> ** **
>
>    response_type****
>
>          REQUIRED.  The value MUST be one of "code" for requesting an****
>
>          authorization code as described by Section 4.1.1, "token" for****
>
>          requesting an access token (implicit grant) as described by****
>
>          Section 4.2.1, or a registered extension value as described by***
> *
>
>          Section 8.4. A value containing one or more space characters
> (%x25)****
>
>          identifies a composite response type in which the order of the***
> *
>
>          space-delimited sub-values does not matter.****
>
> ** **
>
> ** **
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
------------------------------------------------------------------
Never send sensitive or private information via email unless it is
encrypted. http://www.gnupg.org

v2.35.0 | Report a Bug | By Email | System Status