IETF Logo Mail Archive

Re: [OAUTH-WG] Proposed resolution for issue 26

Marius Scurtescu <mscurtescu@google.com> Wed, 28 September 2011 16:33 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00E9B1F0C86 for <oauth@ietfa.amsl.com>; Wed, 28 Sep 2011 09:33:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.677
X-Spam-Level:
X-Spam-Status: No, score=-105.677 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYoL6KAxrcC7 for <oauth@ietfa.amsl.com>; Wed, 28 Sep 2011 09:33:57 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by ietfa.amsl.com (Postfix) with ESMTP id 2188D1F0C76 for <oauth@ietf.org>; Wed, 28 Sep 2011 09:33:54 -0700 (PDT)
Received: from hpaq7.eem.corp.google.com (hpaq7.eem.corp.google.com [172.25.149.7]) by smtp-out.google.com with ESMTP id p8SGagmG009285 for <oauth@ietf.org>; Wed, 28 Sep 2011 09:36:43 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1317227803; bh=1wwetPRcJrHWab3aky/3ocsTYH4=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=VVO0IEZqtIYI+1qOQ7a0fZtsy8Z68yF8RdzOiLFkUd6xTri+K080dUN4B+qoe7nOR 8dkh01vhIb9oLLgzSyUuA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:from:date: message-id:subject:to:cc:content-type:x-system-of-record; b=ImjPKmPN5azpoF6ys0Ha4FPd1sjGUlAn/yNnUIGDukuF0BOIYdD6N7B29ivklHwWV W2cTiDQ43aRUkEMB3zNBg==
Received: from ywp31 (ywp31.prod.google.com [10.192.16.31]) by hpaq7.eem.corp.google.com with ESMTP id p8SGVhIw015424 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 28 Sep 2011 09:36:41 -0700
Received: by ywp31 with SMTP id 31so10051846ywp.11 for <oauth@ietf.org>; Wed, 28 Sep 2011 09:36:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=4hNJrkq/Sce9L/Vf9wHcfkC+NPYt6zauUvdArUdbTz4=; b=ynKhTu/bAD79Nb5JVI8AzXXs79/rL7X7S4/bwzEzx2VHx6OqcIGJsvO9A7PvvOHc7Y 3UKy8Qy/5ltN0qCe2tnQ==
Received: by 10.100.17.30 with SMTP id 30mr689210anq.79.1317227801230; Wed, 28 Sep 2011 09:36:41 -0700 (PDT)
Received: by 10.100.17.30 with SMTP id 30mr689203anq.79.1317227801095; Wed, 28 Sep 2011 09:36:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.142.14 with HTTP; Wed, 28 Sep 2011 09:36:20 -0700 (PDT)
In-Reply-To: <CAC4RtVAj7UG-7kgo3CU5Q6eeJFXi2VciQHUoGL5WJ8iq5cmykg@mail.gmail.com>
References: <4E1F6AAD24975D4BA5B16804296739435C1FC6A1@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAC4RtVDOPaMif55L6JAU4C8aERHgt6M0ntet7GKwgQJbUQKMZw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739435C2148B5@TK5EX14MBXC285.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E1128FF826E5@WSMSG3153V.srv.dir.telstra.com> <CAC4RtVAj7UG-7kgo3CU5Q6eeJFXi2VciQHUoGL5WJ8iq5cmykg@mail.gmail.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 28 Sep 2011 09:36:20 -0700
Message-ID: <CAGdjJpKTAAFq_YGXWOdhT7+Sxyaay5gbjx_ktha8Z6EYaxvtYA@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: multipart/alternative; boundary="0016e6475cca2c2d1c04ae02ff6b"
X-System-Of-Record: true
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Proposed resolution for issue 26
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2011 16:33:59 -0000

On Wed, Sep 28, 2011 at 6:40 AM, Barry Leiba <barryleiba@computer.org>wrote:

> I'd like to see more participation in this thread, besides just from
> Mike and James.  What do others think?
>

I think James made it pretty clear that we have a problem and that we have
to solve it.

One solution would be for the core spec to limit the characters that can be
used in a scope, such that scopes are HTTP header safe. I think this would
be pretty limiting and fragile.

Another solution would be for the bearer spec to specify what escaping
should be used. RFC 5987 seems like the only good choice.

Marius


> Barry, as chair
>
> On Mon, Sep 26, 2011 at 3:05 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
> > While you take the viewpoint that the bearer spec is restricting scope
> > values, in fact, the spec intentionally allows all characters that can be
> > safely communicated in an HTTP response header parameter to be
> > used.  About whether those characters employ an encoding
> > methodology to sometimes represent other characters or abstractions,
> > I believe that Barry's proposed wording hits the nail on the head:
> >
> >   Interpretation of scope strings requires semantic agreement on the
> >   meaning of the scope strings between the parties participating the
> >   OAuth flow.  Should an encoding be used for scope strings in a
> >   particular deployment context, participants have to have agreed
> >   upon that encoding, just as they agree on other OAuth configuration
> >   parameters.
> >
> >                                Best wishes,
> >                                -- Mike
>
>
> On Mon, Sep 26, 2011 at 8:20 PM, Manger, James H
> <James.H.Manger@team.telstra.com> wrote:
> >> While you take the viewpoint that the bearer spec is restricting scope
> values, in fact,
> >> the spec intentionally allows all characters that can be safely
> communicated in an HTTP
> >> response header parameter to be used.
> >
> > But "all characters that can be safely communicated in an HTTP response
> > header parameter" is only a subset of the characters that OAuth Core
> > allows in a scope value (any Unicode string excluding space). I don't
> > understand how this isn't the Bearer spec restricting scope values.
> >
> >
> > P.S. You recognize here that non-ASCII chars cannot be safely
> > communicated in an HTTP response header parameter. This is why
> > Julian was concerned about the spec saying the error_description holds
> > raw UTF-8.
> > [Actually the ABNF for error_description restricts it to 93 ASCII chars
> so
> > when the text says it is UTF-8 encoded it is raising the potential
> problem
> > of arbitrary UTF-8 in HTTP headers unnecessarily.]
> >
> > --
> > James Manger
>
>
> On Tue, Sep 27, 2011 at 11:50 PM, Manger, James H
> <James.H.Manger@team.telstra.com> wrote:
> > I'll have another go trying to explain the problem I see with the scope
> > parameter in the Bearer spec.
> >
> > Consider a French social network that decides to offer an API using
> OAuth2.
> > It chooses 3 scope values for parts of the API related to family,
> friends, and
> > business colleagues:
> > * "famille"
> > * "ami"
> > * "collègues"
> > Let's focus on the last scope.
> >
> > The site describes the scope and its semantics in HTML developer docs.
> > That works.
> >  <dt>coll&#xE8;gues</dt><dd>...</dd>
> >
> > Client apps construct authorization URIs to which users are sent.
> > That works.
> >  https://example.fr/authz?scope=coll%C3%A8gues...
> >
> > The authorization server issues credentials in a JSON token response.
> > That works.
> >  { "access_token":"SlAV32hkKG", "scope":"coll\u00E8gues", ...}
> >
> > The authorization server also supports implicit grants. That works.
> >  Location: https://app.client.org/callback#scope=coll%C3%A8gues...
> >
> > Client apps request protected resources (without needing to mention
> scope).
> > That works.
> >  Authorization: Bearer vF9dft4qmT
> >
> > A protected resource server responds with a 401 error when a bearer token
> > is wrong. They don't know what to put in the HTTP response header scope
> > parameter: "collègues" does not fit.
> >
> > One server knows HTTP headers have historically used ISO-8859-1.
> >  WWW-Authenticate: Bearer scope="coll<E8>gues",
> error_description="opps"...
> >
> > Another server sees that error_description is specified as UTF-8 so uses
> that.
> >  WWW-Authenticate: Bearer scope="coll<C3><A8>gues",
> error_description="opps"...
> >
> > A third server reasons that the value will be copied to an authz URI so
> uses
> > URI-escaping.
> >  WWW-Authenticate: Bearer scope="coll%C3%A8gues",
> error_description="opps"...
> >
> > A fourth server thinks JSON-escaping looks most like HTTP's quoted-string
> > quoting (both use '\').
> >  WWW-Authenticate: Bearer scope="coll\u00E8gues",
> error_description="opps"...
> >
> > A fifth uses RFC 5987 "Character Set and Language Encoding for HTTP
> Header
> > Field Parameters":
> >  WWW-Authenticate: Bearer scope*=UTF-8''coll%C3%A8gues,
> error_description="opps"...
> >
> > It is a total interoperability failure for the client apps. The paragraph
> in the Bearer
> > spec saying the encoding of the scope values is up to each "particular
> > deployment context" looks like a cruel joke to the app and library
> developers.
> >
> > --
> > James Manger
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email