IETF Logo Mail Archive

Re: [OAUTH-WG] defining new response types

Breno <breno.demedeiros@gmail.com> Wed, 20 July 2011 14:51 UTC

Return-Path: <breno.demedeiros@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C15B21F852E for <oauth@ietfa.amsl.com>; Wed, 20 Jul 2011 07:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPcFYlSQpUAy for <oauth@ietfa.amsl.com>; Wed, 20 Jul 2011 07:51:38 -0700 (PDT)
Received: from mail-pz0-f53.google.com (mail-pz0-f53.google.com [209.85.210.53]) by ietfa.amsl.com (Postfix) with ESMTP id 1958421F8532 for <oauth@ietf.org>; Wed, 20 Jul 2011 07:51:33 -0700 (PDT)
Received: by pzk6 with SMTP id 6so409242pzk.26 for <oauth@ietf.org>; Wed, 20 Jul 2011 07:51:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=99RimvnVA6o0DKVDtZpU5aSr0BvTtmtsGCJaKfqTYXo=; b=Y2Z0vWIMt5Clx2nL5Tbsdca+iyWTez82yxwTIOAZ8lcaRmUo7j8/CFLl0ELvRyTAKv wzEHgyXU95HeAIkbbnQ0cZBNDR/YZDwlzrMeBozD5xFBPnNJmCaXjuGJD9AHXwn0nv3J 9z6CpEO0G+4fnmwGngm/vUUl0phfilHJSCi7Y=
MIME-Version: 1.0
Received: by 10.68.43.40 with SMTP id t8mr8482097pbl.57.1311173492347; Wed, 20 Jul 2011 07:51:32 -0700 (PDT)
Received: by 10.68.42.41 with HTTP; Wed, 20 Jul 2011 07:51:32 -0700 (PDT)
In-Reply-To: <CA425D66.224EB%pt@fb.com>
References: <90C41DD21FB7C64BB94121FBBC2E7234501D4A0611@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CA425D66.224EB%pt@fb.com>
Date: Wed, 20 Jul 2011 07:51:32 -0700
Message-ID: <CAGHdeD4CMuGfeRFJMd8qan49p1u2ex0EF1c8EkprgerOY=janw@mail.gmail.com>
From: Breno <breno.demedeiros@gmail.com>
To: Paul Tarjan <pt@fb.com>
Content-Type: multipart/alternative; boundary="bcaec53af1ac4014b804a8815e2d"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] defining new response types
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2011 14:51:42 -0000

Comments inline.

On Tue, Jul 12, 2011 at 8:23 PM, Paul Tarjan <pt@fb.com> wrote:

> I like splitting on space like scopes. But I'm fine with registering all
> possible compositions that make sense, if you prefer.
>

I agree with Marius that registering the combinations are not useful,
however also agree with Paul that it's not a show stopper.


>
>
> As I posted to the group about a month ago, we are planning on supporting
>
> response_type=none
> response_type=code
> response_type=token
> response_type=signed_request token
> response_type=token signed_request
> (and maybe "code token"/"token code")
>
>
Google is planning to support the following combinations:

response_type=node
response_type=id_token
response_type=code
response_type=token
response_type=code token (in either order, fragment-encoded response)
response_type=code id_token (in either order, query-encoded response)
response_type=token id_token (in either order, fragment-encoded response)
response_type=code token id_token (in any possible order, fragment-encoded
response)



> We already have support for response_type=none and the signed_request one
> is a few weeks out.
>
> Paul
>
>
> On 7/12/11 1:35 PM, "Eran Hammer-Lahav" <eran@hueniverse.com> wrote:
>
> >I will withdraw my objections to the change (parsing the response_type
> >string) if enough support is present. If you care about it, please speak
> >out now.
> >
> >EHL
> >
> >> -----Original Message-----
> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> >> Of Mike Jones
> >> Sent: Tuesday, July 12, 2011 1:32 PM
> >> To: OAuth WG
> >> Subject: Re: [OAUTH-WG] defining new response types
> >>
> >> As a data point motivating this functionality, the OpenID Connect Core
> >>spec
> >> currently includes:
> >>
> >>    response_type
> >>       A space delimited, case sensitive list of string
> >>       values (Pending OAuth 2.0 changes).  Acceptable values include
> >>       "code", "token", and "none".  The value MUST include "code" for
> >>       requesting an Authorization Code, "token" for requesting an Access
> >>       Token, and "none" if no response is needed.
> >>
> >> The OpenID Connect Session Management spec also defines an "id_token"
> >> response_type.  Combinations of these (other than "none") are meaningful
> >> and used.
> >>
> >> The syntax for this can change, but this functionality is very
> >>important to
> >> OpenID Connect as it is currently written.
> >>
> >>                 Thanks,
> >>                 -- Mike
> >>
> >> -----Original Message-----
> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> >> Of Breno de Medeiros
> >> Sent: Tuesday, July 12, 2011 11:48 AM
> >> To: Eran Hammer-Lahav
> >> Cc: OAuth WG
> >> Subject: Re: [OAUTH-WG] defining new response types
> >>
> >> On Tue, Jul 12, 2011 at 11:36, Eran Hammer-Lahav <eran@hueniverse.com>
> >> wrote:
> >> > That's pretty farfetched. In previous versions we had 'code_and_token'
> >> which was a composite value but without any special characters. If
> >>people
> >> think that we need to force such values to avoid this claimed developer
> >> confusion, let's drop the + and be done.
> >> >
> >>
> >> Maybe far fetched, but it's already available in our production
> >>environment --
> >> we had implemented the code_and_token approach earlier (though not
> >> documented it) but abandoned that route as we thought the exponential
> >> explosion was harmful when we started contemplating adding new types
> >> and allowing various combinations of them.
> >>
> >> > The only requirement I was asked to cover was to allow response type
> >> extensibility. If there is WG consensus to also support the requirement
> >>of
> >> composite values using any order, we can discuss that.
> >>
> >> Let's.
> >>
> >> >
> >> > In addition, defining a parsing method adds a significant amount of
> >>new
> >> complexity beyond just splitting the string:
> >> >
> >> > * It allows for composite values that make no sense (since anything
> >>goes,
> >> composite values are not registered, just the components).
> >> > * Additional error codes are needed to indicate bad format,
> >>unsupported
> >> values (specify which one), unsupported combinations, etc.
> >> > * Developers lose the benefit of a simple registry with every possible
> >> combination they may choose.
> >> >
> >> > So the two questions are:
> >> >
> >> > 1. Do you find the + proposal as defined in -18 to be useful or
> >>confusing?
> >>
> >> It is ugly.
> >>
> >> > 2. Should the protocol support dynamic composite values with the added
> >> complexity (breaking change)?
> >>
> >> That's my preference.
> >>
> >> >
> >> > EHL
> >> >
> >> >> -----Original Message-----
> >> >> From: Breno de Medeiros [mailto:breno@google.com]
> >> >> Sent: Tuesday, July 12, 2011 11:18 AM
> >> >> To: Eran Hammer-Lahav
> >> >> Cc: Marius Scurtescu; OAuth WG
> >> >> Subject: Re: [OAUTH-WG] defining new response types
> >> >>
> >> >> On Tue, Jul 12, 2011 at 11:10, Eran Hammer-Lahav
> >> >> <eran@hueniverse.com>
> >> >> wrote:
> >> >> > Requiring parsing of the response type parameter is a big change at
> >> >> > this
> >> >> point. Even if it is a decent idea, I'm against it for the sole
> >> >> reason that I don't want to introduce such a change - we're done.
> >> >> >
> >> >> > The + character makes reading values easier because it give
> >> >> > composites of
> >> >> existing, individually defined values, a special meaning to *people*,
> >> >> but it does not change any existing code or adds any work. Servers
> >> >> will still perform simple string comparison. Parsing a list of
> >>values is
> >> unnecessary complexity.
> >> >> Developers can learn to put values in their expected order (since
> >> >> they are all going to cut-n-paste anyway).
> >> >>
> >> >> I disagree. I believe that servers will either not support the
> >> >> composite types at all, or will allow developers to enter it into any
> >> >> order to avoid developer pain.
> >> >>
> >> >> Also, developers will _not_ cut-and-paste. They will expect the fact
> >> >> that order is not meaningful by interacting with providers that don't
> >> >> perform exact string matching and then have interoperability issues
> >> >> with compliant implementations.
> >> >>
> >> >> >
> >> >> > I rather drop the special character then add parsing, but I think
> >> >> > it is a useful
> >> >> *convention*.
> >> >> >
> >> >> > Do people want to keep it or drop it?
> >> >> >
> >> >> > EHL
> >> >> >
> >> >> >
> >> >> >> -----Original Message-----
> >> >> >> From: Breno de Medeiros [mailto:breno@google.com]
> >> >> >> Sent: Tuesday, July 12, 2011 10:59 AM
> >> >> >> To: Eran Hammer-Lahav
> >> >> >> Cc: Marius Scurtescu; OAuth WG
> >> >> >> Subject: Re: [OAUTH-WG] defining new response types
> >> >> >>
> >> >> >> Imposing order and exact string matching on response_type's while
> >> >> >> simultaneously supporting a special character '+' and introducing
> >> >> >> the concept of composite response_type is a poor compromise,
> >> IMNSHO.
> >> >> What
> >> >> >> is the rationale to fear allowing multiple-valued response_type as
> >> >> >> we have for other parameters in the spec?
> >> >> >>
> >> >> >> On Mon, Jul 11, 2011 at 18:51, Eran Hammer-Lahav
> >> >> >> <eran@hueniverse.com>
> >> >> >> wrote:
> >> >> >> > As for the plus encoding we can choose another char or give an
> >> >> example.
> >> >> >> >
> >> >> >> > On Jul 11, 2011, at 18:07, "Marius Scurtescu"
> >> >> >> > <mscurtescu@google.com>
> >> >> >> wrote:
> >> >> >> >
> >> >> >> >> If I read section 8.4 correctly it seems that new response
> >> >> >> >> types can be defined but composite values must be registered
> >> explicitly.
> >> >> >> >>
> >> >> >> >> I don't think this approach scales too well. OpenID Connect for
> >> >> >> >> example is adding a new response type: id_token.
> >> >> >> >>
> >> >> >> >> id_token can be combined with either code or token and
> >> >> >> >> potentially with both of them, the following combinations must
> >> >> >> >> be registered as a
> >> >> >> >> result:
> >> >> >> >> code+id_token
> >> >> >> >> token+id_token
> >> >> >> >> code+token+id_token
> >> >> >> >>
> >> >> >> >> and this assumes that code+token is already registered.
> >> >> >> >>
> >> >> >> >> I think it makes more sense to define response_type as a space
> >> >> >> >> separated list of items, where each item can be individually
> >> >> >> >> registered. I do realize that this complicates things quite a
> >> >> >> >> bit (not we have to define and deal with both composite
> >> >> >> >> response_type and the individual items).
> >> >> >> >>
> >> >> >> >> As a side note, using + as separator could cause lots of
> >>problems.
> >> >> >> >> If people naively type "code+toke" it will be decoded as "code
> >> token".
> >> >> >> >> No one will remember the hex code for +.
> >> >> >> >>
> >> >> >> >> Marius
> >> >> >> >> _______________________________________________
> >> >> >> >> OAuth mailing list
> >> >> >> >> OAuth@ietf.org
> >> >> >> >> https://www.ietf.org/mailman/listinfo/oauth
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> --Breno
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> --Breno
> >> >
> >>
> >>
> >>
> >> --
> >> --Breno
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >_______________________________________________
> >OAuth mailing list
> >OAuth@ietf.org
> >https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>



-- 
Breno de Medeiros

v2.35.0 | Report a Bug | By Email | System Status