Re: [OAUTH-WG] Authorization Header Encoding
Vladimir Dzhuvinov <vladimir@connect2id.com> Mon, 15 February 2021 11:34 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 855643A11A4 for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 03:34:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pTgz0hcvew1q for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 03:34:12 -0800 (PST)
Received: from p3plsmtpa11-09.prod.phx3.secureserver.net (p3plsmtpa11-09.prod.phx3.secureserver.net [68.178.252.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D665A3A11A3 for <oauth@ietf.org>; Mon, 15 Feb 2021 03:34:12 -0800 (PST)
Received: from [192.168.88.211] ([94.155.17.31]) by :SMTPAUTH: with ESMTPSA id Bc8plhrzI4A0UBc8pl9K3r; Mon, 15 Feb 2021 04:34:12 -0700
X-CMAE-Analysis: v=2.4 cv=OKDiYQWB c=1 sm=1 tr=0 ts=602a5c34 a=+I3yL00+yDwT8KNLgfs+4A==:117 a=+I3yL00+yDwT8KNLgfs+4A==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=d2bkhBcXAAAA:20 a=48vgC7mUAAAA:8 a=hR4K_BDzmdF4DJ9DuxEA:9 a=QEXdDO2ut3YA:10 a=KNQ3XAJQr-rKUG28BdsA:9 a=8oK9xwvSmwmeeHbD:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: vladimir@connect2id.com
To: oauth@ietf.org
References: <A492D4E9-3491-4F09-8F1C-3875C5FD6E51@mit.edu>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd
Organization: Connect2id Ltd.
Message-ID: <97a82c6d-1410-a9a9-a7aa-e8cff61a1807@connect2id.com>
Date: Mon, 15 Feb 2021 13:34:10 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <A492D4E9-3491-4F09-8F1C-3875C5FD6E51@mit.edu>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060203050609010008070503"
X-CMAE-Envelope: MS4xfNDTMcnBUarwSeLytyysw/DAdDhjAtlwe26ltlZGDicMWJgYGT7gVZMYIWjasJPrVg4qPMSFbDlXyG352lO/Cro0gbF+aNOTmbPxUsm3CfJJgGyKqTVl XNzfFfv0Yea4oTwmWZZwQpuGoIYgXAe1Wqcq/OYoeA5ixqWdnghbfFKwCj99u3egqApov3+Qb0pQvw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bhXZ5AKWqsWUpLrlOmKJTqG-J8w>
Subject: Re: [OAUTH-WG] Authorization Header Encoding
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 11:34:15 -0000
Hi Justin, Thanks for alerting us on this development. +1 for keeping the updated HTTP semantics unencumbered by the Authorization header formatting in RFC 6750. IMO revising the RFC 6750 to reflect that is too late now, as few people will notice. So updating the Bearer header definition in OAuth 2.1 seems like the most sensible move. I expect OAuth 2.0 implementers who maintain their software to pick up the 2.1 spec, sooner or later. Vladimir On 12/02/2021 00:01, Justin Richer wrote: > The HTTP Working Group opened an issue for discussion in relation to > the updated HTTP semantics specification. The core of the issue is the > format of the “Authorization” header, which of course gets used by the > “Bearer” scheme defined in RFC6750. > > https://github.com/httpwg/http-core/issues/733 > > As it turns out, Bearer defines a more limited character set than is > allowed by core HTTP, and doesn’t follow the HTTP guidelines and > definitions for the Authorization header. There were a few > observations on the call: > > - The Bearer spec was limited because OAuth tokens were also allowed > in HTTP URLs and form parameters (and therefore had to have a more > limited character set) > - In practice people don’t actually restrict the values they put into > this field; pretty much any implementation is just going to > concatenate whatever access token value they get to the magic word > “Bearer” and send it > - It’s not likely (or in my opinion proper) for the HTTP spec to > change to address the oddities of RFC6750 and decisions that were made > many years ago > > So the question is, what do we do about it? We could do a revision of > 6750 that reflects reality better, pretty much just changing the ABNF. > > Or, we could update the definition of the Bearer header in the > upcoming OAuth 2.1 specification. > > Are there other options? > > — Justin > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Vladimir Dzhuvinov
- [OAUTH-WG] Authorization Header Encoding Justin Richer
- Re: [OAUTH-WG] Authorization Header Encoding Vladimir Dzhuvinov
- Re: [OAUTH-WG] Authorization Header Encoding Brian Campbell
- Re: [OAUTH-WG] Authorization Header Encoding Justin Richer