Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions

Mike Jones <> Thu, 14 June 2012 21:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E8B0C21F85C5 for <>; Thu, 14 Jun 2012 14:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.813
X-Spam-Status: No, score=-3.813 tagged_above=-999 required=5 tests=[AWL=-0.215, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 40TBaZpu12AO for <>; Thu, 14 Jun 2012 14:15:16 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4F70121F85C4 for <>; Thu, 14 Jun 2012 14:15:16 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server id; Thu, 14 Jun 2012 21:14:07 +0000
Received: from mail223-ch1 (localhost []) by (Postfix) with ESMTP id 2894446064D; Thu, 14 Jun 2012 21:14:07 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI;; RD:none; EFVD:NLI
X-SpamScore: -26
X-BigFish: VS-26(zz98dI9371Ic89bh936eI14ffI1432I1418Ic857hzz1202hzz8275ch1033IL8275bh8275dhz2fh2a8h668h839hd25hf0ah)
Received-SPF: pass (mail223-ch1: domain of designates as permitted sender) client-ip=;; ; ;
Received: from mail223-ch1 (localhost.localdomain []) by mail223-ch1 (MessageSwitch) id 1339708444995476_30087; Thu, 14 Jun 2012 21:14:04 +0000 (UTC)
Received: from ( []) by (Postfix) with ESMTP id F06B62E004A; Thu, 14 Jun 2012 21:14:04 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 14 Jun 2012 21:14:04 +0000
Received: from ([]) by ([]) with mapi id 14.02.0298.005; Thu, 14 Jun 2012 21:14:29 +0000
From: Mike Jones <>
To: John Bradley <>, Torsten Lodderstedt <>
Thread-Topic: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
Thread-Index: Ac1KcqfhqNGWQ8CmT2q76mt0mS+U2w==
Date: Thu, 14 Jun 2012 21:14:28 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394366539292TK5EX14MBXC284r_"
MIME-Version: 1.0
Cc: Julian Reschke <>, Richard Mortier <>, "" <>
Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Jun 2012 21:15:19 -0000

The more I think about excluding the possibility of using URIs as client IDs, the more uncomfortable I am with it.  I’m increasingly thinking that we should allow the ASCII characters used in URIs (and probably the other visible ones and space as well, as currently proposed) and have special language about “But what if this client_id containing colon characters is to be used with HTTP Basic?”

As one suggestion, mainly to restart discussion (which seems to have stalled), we could suggest (or require) that all colon characters in client_ids be substituted with tab characters (%x09), which are legal in HTTP Basic but not in the proposed definition of client_ids, before use with HTTP Basic, and that the reverse substitution occur when received from HTTP Basic.  Other transformations or encodings are possible.  We could also cop out by saying something like “If characters not legal in HTTP Basic occur in the client_id, a transformation encoding them must be agreed to by both parties”.  I don’t love the tab idea, because it’s admittedly a hack, but I believe it’s better than precluding the use of URIs as client_ids.


                                                            -- Mike

From: [] On Behalf Of John Bradley
Sent: Wednesday, June 13, 2012 11:40 AM
To: Torsten Lodderstedt
Cc: Julian Reschke; Richard Mortier;
Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions

That would probably work as well.  That is why I am not particularly concerned about excluding the :

We originally used the URI itself,  mostly for convenience of debugging,  but there are other potential options.

The authorization server needs to compare the client_id and the redirect uri. But it could compare the hash with not much more work.   Also a sha256 hash is probably longer than the uri it is hashing.

I am not super concerned with being able to have : in the client_id

John B.

Sent from my iPhone

On 2012-06-13, at 6:03 PM, Torsten Lodderstedt <<>> wrote:
Hi John,

would it make sense to use a hash of the URI instead of the URI itself in your use case?


John Bradley <<>> schrieb:
I think that the issues are getting confused.

There is a use case where the Authorization server may be a embedded app, at least in one openID case.    As it won't have a separate registration or token endpoint,  the client needs to make its own clientID for the request.   A reasonable thing to use is the redirect URI to create a unique value that the user could use for revocation at a later point.

Currently with the no : restriction we would use the host and path to crate the clientid.
There are some scenarios where having the scheme as part of that would be helpful.

This has nothing to do with discovery or the dynamic client registration proposal as far as I know.

A URL as a client_id comes from prototype work for a personal provider that we are doing as part of openID Connect.

John B.
On 2012-06-13, at 7:50 AM, Torsten Lodderstedt wrote:

Hi all,

can anyone please explain the relation between dynamic client registration and URIs as client ids? None of the current drafts (uma or connect) seem to require URIs.


Jianhua Shao <<>> schrieb:

Dynamic client registration is very useful if client or resource or authorisation server is not permanently available.
A typical case is that is the resource or authorisation server is in mobile platform, the connection is not always available.
Another typical case is that authorisation server do not necessary to have client pre-registered on itself. At moment, industry like facebook would like developer to register a app on its app centre first, and then ask user auth to use the app.

We are researchers from Digital Economy Research Institute. We have this problem When we developing Dataware that could manage the control of access to personal data. We play around our solution base on Oauth2:

We are in the list to receive your mail list, but currently need moderate to post any message. cc my colleague, Richard Mortier

On 12 Jun 2012, at 21:08, Eran Hammer wrote:

The only distinction I would make is between removing flexibiliy to proactively enabling future extensibility. I would stop short of perscribing encoding in order to fit uri into the Basic auth fields. But if there is a way to allow this to be less restrictive without clean interop issues, that would be nice.

I do agree we need some actual use cases before we spend much more time on this.


From: William Mills []<mailto:[]>
Sent: Tuesday, June 12, 2012 1:04 PM
To: Eran Hammer; Mike Jones; Hannes Tschofenig; Julian Reschke
Subject: Dynamic clients, URI, and stuff Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions

I think dynamic client registration is something we have not talked out enough yet.  There's a pretty clear use case for dynamic registration.

Does identifying the client with a URI allow some form of OpenID-ish flow for this?
Is the client ID as a URI a way to allow a trusted site to provide metadata about the client?
Is that URI a way to hit an IDP we trust to validate the client in some way with the provided secret?

I guess what I'm looking for here is a concrete use case/problem to solve, rather then leaving a hook we think is the right thing.


From: Eran Hammer <<>>
To: Mike Jones <<>>; William Mills <<>>; Hannes Tschofenig <<>>; Julian Reschke <<>>
Cc: "<>" <<>>
Sent: Tuesday, June 12, 2012 11:39 AM
Subject: RE: [OAUTH-WG] Discussion needed on username and password ABNF definitions

Is the use case of using URI as client ids important? It seems like something that might become useful in the future where clients can use their verifiable servers to bypass client registration and simly use a URI the server can validate via some other means.

I just want to make sure those thinking about more complex use cases involving dynamic registration or distri buted client manamgenet are aware of this potential restriction.

I'm fine either way.


From:<> []<mailto:[]> On Behalf Of Mike Jones
Sent: Tuesday, June 12, 2012 11:27 AM
To: William Mills; Hannes Tschofenig; Julian Reschke
Subject: Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions

Not internationalizing fields intended for machine consumption only is already a precedent set and agreed to by the working group, so let me second Bill’s point in that regard.  For instance, neither “scope” nor “error” allow non-ASCII characters.

Julian, if you want different ABNF text than the text I wrote below, I believe it would be most useful if you would provide the exact replace wording that you’d like to see instead of it.  Then there’s no possibility of misunderstanding the intent of suggested changes.

                                                            Thanks all,
                                                            -- Mike

From:<> []<mailto:[]> On Behalf Of William Mills
Sent: Tuesday, June 12, 2012 11:18 AM
To: Hannes Tschofenig; Julian Reschke
Subject: Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions

I agree generally with your assumption about clients, but rather than saying "clients are devices" I think it makes much more sense to say "clients are NOT users, so client_id need not be internationalized".  In practical terms there is very little to argue for anythign beyond ASCII in a client_secret, base64 encoding or the equivalent being a fine way to transport arbitrary bits in a portable/reasonable way.

I argue that client_id need not be internationalized because I assume that any really internationalized application will have an internationalized presentation layer that's presenting a pretty name for the client_id.


From: Hannes Tschofenig <<>>
To: Julian Reschke <<>>
Cc: "<>" <<>>
Sent: Tuesday, June 12, 2012 11:01 AM
Subject: Re: [OAUTH-WG] Discussion needed on username and password ABNF definitions

I had a chat with Julian yesterday and here is my short summary.

Section 2.3 of the core draft defines client authentication based on two mechanisms (and provides room for extensions):

1) HTTP Basic Authentication

2) A custom OAuth authentication mechanism (which uses client_id and client_secret)

With HTTP Basic authentication the problem is that this is a legacy technology and there is no internationalization support.

With our brand new custom OAuth authentication mechanism we have more options.

One possible approach is to say that the clients are devices (and not end users) and therefore internationalization does not matter.

Is it, however, really true that only US-ASCII characters will appear in the client_id and also in the client_secret?

Here we have the possibility to define something better.

In any case we have to restrict the characters that are used in these two authentication mechanisms since they could conflict with the way how we transport the data over the underlying protocol. Julian mentioned this in his previous mails.

Julian, maybe you can provide a detailed text proposal for how to address your comment in case we go for UTF8 (with % encoding) for the custom OAuth client authentication mechanism?


On Jun 12, 2012, at 11:54 AM, Julian Reschke wrote:

> On 2012-06-12 00:16, Mike Jones wrote:
>> Reviewing the feedback from Julian, John, and James, I'm coming to the conclusion that client_id and client_secret, being for machines and not humans, shou ld be ASCII, whereas username and password should be Unicode, since they are for humans.  Per John's feedback, client_id can not contain a colon and be compatible with HTTP Basic.
> I'm not sure that restricting the character repertoire just because one way to send requires this is the right approach. My preference would be not to put this into the ABNF, and just to point out that certain characters will not work over certain transports, and to just advise to avoid them.
>> Therefore, I'd like to propose these updated ABNF definitions:
>>    VSCHAR = %20-7E
>>    NOCOLONVSCHAR = %x20-39 / %x3B-7E
>>    UNICODENOCTRLCHAR = <Any Unicode character other than ( %x0-1F / %x7F )>
>>    client-id = *NOCOLONVSCHAR
>>    client_secret = *VSCHAR
>>    username = *UNICODENOCTRLCHAR
>>    password = *UNICODENOCTRLCHAR
> In this case you should add an introductory statement pointing out that the ABNF defines the grammar in terms of Unicode code points, not octets (as it is the case most of the time).
>> It turns out that non-ASCII characters are OK for username and password because the Core spec only passes them in the form body - not using HTTP Basic - and UTF-8 encoding is specified.
> I'll send a separate mail about that, the current text in the spec is way too unspecific.
>>                 -- Mike
>> P.S.  If anyone has a better ABNF for UNICODENOCTRLCHAR than "<Any Unicode character other than ( %x0-1F / %x7F )>", please send it to me!
> As noted before, here's an example: <>
> Best regards, Julian
> _______________________________________________
> OAuth mailing list

OAuth mailing list<>

OAuth mailing list<>

This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.

This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
OAuth mailing list<>