Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
Pid <pid@pidster.com> Tue, 11 May 2010 08:16 UTC
Return-Path: <pid@pidster.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 668F228C11A for <oauth@core3.amsl.com>; Tue, 11 May 2010 01:16:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.369
X-Spam-Level:
X-Spam-Status: No, score=-0.369 tagged_above=-999 required=5 tests=[AWL=0.370, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5anEH4Tt2BjT for <oauth@core3.amsl.com>; Tue, 11 May 2010 01:16:34 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 7C09E3A6B47 for <oauth@ietf.org>; Tue, 11 May 2010 01:15:42 -0700 (PDT)
Received: by wyb36 with SMTP id 36so586676wyb.31 for <oauth@ietf.org>; Tue, 11 May 2010 01:15:24 -0700 (PDT)
Received: by 10.227.154.4 with SMTP id m4mr4996027wbw.153.1273565724642; Tue, 11 May 2010 01:15:24 -0700 (PDT)
Received: from Phoenix.local (cpc2-lewi13-2-0-cust269.2-4.cable.virginmedia.com [86.14.119.14]) by mx.google.com with ESMTPS id u8sm47313934wbc.17.2010.05.11.01.15.23 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 11 May 2010 01:15:23 -0700 (PDT)
Message-ID: <4BE91213.7090302@pidster.com>
Date: Tue, 11 May 2010 09:15:15 +0100
From: Pid <pid@pidster.com>
Organization: Pidster Inc
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Joseph Smarr <jsmarr@gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <C2C2CB2C-F8A9-4713-A74F-558CC7278D1C@alkaline-solutions.com> <v2mc334d54e1005092357xa9a5fa2en78210a50221815df@mail.gmail.com> <4BE7BF9A.2050209@pidster.com> <1222443C-7C2C-49C4-B03A-4E760538B4BB@gmail.com> <4BE85186.1080401@pidster.com> <AANLkTinGoYkCVO54eHCjPJmkYAC_IEmki_lJMCNPHseB@mail.gmail.com> <AANLkTin-KnVFPWn6wKJC1kMt0COHa0MZVB7-CXX7TUc9@mail.gmail.com>
In-Reply-To: <AANLkTin-KnVFPWn6wKJC1kMt0COHa0MZVB7-CXX7TUc9@mail.gmail.com>
X-Enigmail-Version: 1.0.1
OpenPGP: id=62590808
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig962120F51C1AEAF9280F86C0"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: pid@pidster.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2010 08:16:35 -0000
On 10/05/2010 23:38, Joseph Smarr wrote: > Oh, one other quick benefit of JSON (kind of an extension of point 1 below): > > - no ambiguous treatment of whitespace or newlines (this is a problem > I've observed multiple times while helping developers debug OAuth 1.0 > implementations--since they just split on & and =, they often don't trim > extra whitespace or newlines that were returned by the server, leading > to those spaces/newlines being part of the parsed attribute values, > which then cause broken signatures and are very hard to debug, since the > chars are invisible when printed). Not a problem with JSON. > > Let me try to offer some of those "logical, positive statements in > favour of the technical merits of JSON over the original format > choice" for those that aren't familiar or haven't gleaned them from > the thread thus far: > > - unambiguous spec for encoding/decoding (including how to represent > spaces and unicode chars, both of which are common points of > ambiguity in url-encoding that lead to bugs, confusion, and lack of > ability to use built-in libraries, if available). For example, the > OAuth PHP library does the following: return str_replace('+', ' ', > str_replace('%7E', '~', rawurlencode($input)) -- yuck! > > - easier to read the encoded format (because it has > clear sentinel braces, quoted attributes, and no url-encoding of > parameters; only some backslashing of reserved chars) > > - widely available libraries with good track records in the wild, > and increasingly built in to many platforms > > - extensible support for more representing more complex data > structures in the future, if needed > > - simple enough that it's easy to understand, but just complex > enough that it's not too tempting to roll your own parser (which > leads empirically to better compliance due to use of common libraries) > > - more likely to be recognized and understood by developers, since > they've seen it elsewhere in API response formats Thanks for taking the trouble to respond in detail, the arguments in favour of JSON are now much clearer. > I think that about covers it. Again, it's an objective fact that > url-encoding has caused confusion and bugs in OAuth 1.0 > implementations, and it's also an objective fact that JSON has had a > very high "just works" rate in the wild, to the point that it's the > default API response format for many widely used APIs from large > providers targeting many platforms. So this is not a choice based on > "fashion", but based on trying to learn from history to increase > developer success and remove the opportunity for subtle bugs, which > was one of the major problems with OAuth 1.0a that prompted us to > work on OAuth 2.0 in the first place. I take your point. I'm slightly less convinced that this means that JSON is a single best format, as much of the above could apply to XML too. (Though I am aware of the other JSON vs XML arguments, which favour JSON). My preference is for multiple formats, but I'll leave this topic alone now. cheers, p > Thanks, js > > On Mon, May 10, 2010 at 11:33 AM, Pid <pid@pidster.com > <mailto:pid@pidster.com>> wrote: > > On 10/05/2010 15:56, Dick Hardt wrote: > > > > On 2010-05-10, at 1:11 AM, Pid wrote: > > > >> On 10/05/2010 07:57, Joseph Smarr wrote: > >>>> 1. Server Response Format > >>> > >>> I vote for B, though I could live with C. (A would make me > sad though) > >>> > >>> We've had a healthy and reasonable debate about the > trade-offs here, but > >>> I think the main counterargument for requiring JSON support > is that it's > >>> not quite yet a "no-brainer" to have JSON support in all > environments > >>> (e.g. iPhone libraries currently would need to statically > link in an > >>> available JSON library), whereas the counterarguments for A > are the > >>> well-documented problems properly decoding url-encoded > params from OAuth > >>> 1.0, plus the fact that it's not a common response format, > whereas JSON > >>> (and XML) are. Since I think JSON will continue to increase > in use for > >>> at least the next several years, the pain associated with > requiring JSON > >>> is likely to be higher now than it will be in the future, > and it's > >>> already low enough that we've had this debate about whether > it's already > >>> acceptable or not-quite-yet. And JSON has been proven to > "just work" in > >>> terms of avoiding encoding/decoding headaches in the wild, > which for > >>> something like OAuth is really critical. > >> > >> I don't believe this is an accurate summary. > > > > Are you saying the information is not accurate or not a > complete summary? > > > >> > >> I asked for someone in the pro-JSON camp to describe the > technical > >> merits of that format over url encoded, but to date, there's > no one who > >> has responded. > > > > per > http://www.ietf.org/mail-archive/web/oauth/current/msg01992.html > > Is that the right message? There's not much in the way of positive > arguments for JSON in that one. > > > > client libraries exist to parse JSON responses > > Meaning a dependency. > > > > client libraries do NOT exist to parse url encoded responses > > There aren't libraries to perform that type of decoding because it's > trivial, (as you acknowledged). > > > > Implementations of both OAuth 1.0 and WRAP improperly decoded > the responses. > > Also with reference to: "many developers have been caught just > splitting the parameters and forgetting to URL decode the token" > > With respect, I think this is pretty close to a straw man. It > would be > just as easy to argue that developers will make a mess of > parsing JSON. > > > > Everyone seems to have, (in some cases grudgingly), agreed that it's > easier to decode/parse urlencoded data than JSON. > > There are definitely occasions when using JSON for data > description & > transmission is advantageous, I just don't think this is one of > them. > It's a proverbial sledgehammer for a tiny OAuth nut. > > > There should be something positive to say about JSON that > establishes > why it is a better format for this purpose. > > > >> The options we've been offered seem contrived to support JSON, > > > > would you elaborate on why you think the options presented by > the editor were contrived? > > Sure. Two of them offer JSON as the default, including the putative > 'compromise' option. > > JSON and XML add complexity, as the editor states. IMHO it's odd > therefore not to select the least complex as the default, if > multiple > formats are offered. > > > > I appreciate that JSON is popular and there is a degree of devil's > advocacy to my position here, (as I've already said), but if > it's not > possible to make a list of logical, positive statements in > favour of the > technical merits of JSON over the original format choice then it > shouldn't be selected as the default. > > > p > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > >
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… DeWitt Clinton
- [OAUTH-WG] Open Issues: Group Survey (respond by … Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… David Recordon
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Dick Hardt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… David Waite
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Mark Mcgloin
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Richer, Justin P.
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Dick Hardt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Mike Moore
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yutaka OIWA
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yutaka OIWA
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Vivek Khurana
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Greg Brail
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Kris Selden
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Evan Gilbert
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H