IETF Logo Mail Archive

Re: [OAUTH-WG] Proposed change to section 8.4. Defining New Authorization Endpoint Response Types

Mike Jones <Michael.Jones@microsoft.com> Tue, 19 July 2011 15:46 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24ECB21F8509 for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2011 08:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.448
X-Spam-Level:
X-Spam-Status: No, score=-10.448 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTx4VLKYBy1f for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2011 08:46:27 -0700 (PDT)
Received: from smtp.microsoft.com (mailc.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 2A63521F84E5 for <oauth@ietf.org>; Tue, 19 Jul 2011 08:46:25 -0700 (PDT)
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (157.54.80.67) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Tue, 19 Jul 2011 08:46:24 -0700
Received: from TK5EX14MBXC201.redmond.corp.microsoft.com ([169.254.8.198]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.01.0323.002; Tue, 19 Jul 2011 08:46:24 -0700
From: Mike Jones <Michael.Jones@microsoft.com>
To: Aiden Bell <aiden449@gmail.com>, Eran Hammer-Lahav <eran@hueniverse.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Proposed change to section 8.4. Defining New Authorization Endpoint Response Types
Thread-Index: AcxF2IFuXcht7wZvT3mPDMC79ij6zgAapKcAAAYSxgA=
Date: Tue, 19 Jul 2011 15:46:23 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394348D52973@TK5EX14MBXC201.redmond.corp.microsoft.com>
References: <90C41DD21FB7C64BB94121FBBC2E7234501D6E0653@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CA+5SmTUHyo03svC+90s5D9oLzh75WRU6AfJ_opSzwiKXMUThKQ@mail.gmail.com>
In-Reply-To: <CA+5SmTUHyo03svC+90s5D9oLzh75WRU6AfJ_opSzwiKXMUThKQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394348D52973TK5EX14MBXC201r_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Proposed change to section 8.4. Defining New Authorization Endpoint Response Types
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2011 15:46:30 -0000

Thanks for making this change, Eran.  I propose that we use Aiden's text, because I agree that it removes the ambiguity that he identified.

                                                            -- Mike

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Aiden Bell
Sent: Tuesday, July 19, 2011 4:39 AM
To: Eran Hammer-Lahav; oauth@ietf.org
Subject: Re: [OAUTH-WG] Proposed change to section 8.4. Defining New Authorization Endpoint Response Types


I think the wording is much improved here with regards implied relationships between composite and non-composite types.

However, given this new found unambiguity, I think the use of the term "composite response types" is misleading, as what is being described is
just a characteristics of "identifiers containing spaces". This newest 8.3 doesn't state if elements in the collection MUST also be registered.
This leads me to (correctly?) think I can register a list of elements where the components may or may not be registered themselves.
In this case, we have a registered list of response type identifiers rather than a list of response types registered.

I would propose the following modification, which puts the policy-ish term of "compounding"
elements, more in the realm of registration, as the term "compounding" seems to imply compound semantics, but the
registration part has a mechanism-not-policy approach.


   The space character (%x20) is reserved for defining a collection of response type identifiers.
   Each collection of response type identifiers MUST be registered, even if each of its components
   are individually registered. The order of components in a response type identifier collection
   does not matter. The meaning of unregistered collections of response type identifiers made up of
   individually registered values is undefined.

   For example, the response type "token code" is left undefined by this specification.
   However, an extension can define and register the "token code" response type identifier collection
   and its composite behavior.
   Once registered, the same combination cannot be registered as "code token", but
   both values can be used to make an authorization request, and refer to the same
   response type.

Apologies if this is unsuitable, i'm just looking at it as an implementor and questioning my own assumptions,
then trying to make the text clearer. The validity of my assumptions isn't presumed.

Thanks,
Aiden Bell
On 19 July 2011 07:21, Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote:
I have tried to accommodate both the use cases and concerns raised. The new text allows the registration of composite response types in which the order of the space-delimited values does not matter. However, every combination must be registered in order to avoid developers guessing what an unregistered combination might mean.

Feedback requested.

EHL

---

8.4.  Defining New Authorization Endpoint Response Types

   New response types for use with the authorization endpoint are
   defined and registered in the authorization endpoint response type
   registry following the procedure in Section 11.3.  Response type
   names MUST conform to the response-type ABNF.

     response-type  = response-name *( SP response-name )
     response-name  = 1*response-char
     response-char  = "_" / DIGIT / ALPHA

   The space character (%x20) is reserved for defining composite response types.
  Each composite response types MUST be registered, even if each of its components
   are individually registered. The order of components in a composite response type
   does not matter. The meaning of unregistered composite response types made up of
   individually registered values is undefined.

   For example, the response type "token code" is left undefined by this specification.
   However, an extension can define and register the "token code" response type.
  Once registered, the same combination cannot be registered as "code token", but
   both values can be used to make an authorization request, and refer to the same
   response type.

Also, change the definition of response_type in section 3.1.1:

   response_type
         REQUIRED.  The value MUST be one of "code" for requesting an
         authorization code as described by Section 4.1.1, "token" for
         requesting an access token (implicit grant) as described by
         Section 4.2.1, or a registered extension value as described by
         Section 8.4. A value containing one or more space characters (%x25)
         identifies a composite response type in which the order of the
         space-delimited sub-values does not matter.



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
------------------------------------------------------------------
Never send sensitive or private information via email unless it is encrypted. http://www.gnupg.org

v2.36.0 | Report a Bug | By Email | System Status