[OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer

Brian Campbell <bcampbell@pingidentity.com> Mon, 05 March 2012 22:40 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E99021F8685 for <oauth@ietfa.amsl.com>; Mon, 5 Mar 2012 14:40:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.699
X-Spam-Level:
X-Spam-Status: No, score=-5.699 tagged_above=-999 required=5 tests=[AWL=0.278, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mFAK6Yk7vb9Y for <oauth@ietfa.amsl.com>; Mon, 5 Mar 2012 14:40:52 -0800 (PST)
Received: from na3sys009aog111.obsmtp.com (na3sys009aog111.obsmtp.com [74.125.149.205]) by ietfa.amsl.com (Postfix) with ESMTP id 591E021F864F for <oauth@ietf.org>; Mon, 5 Mar 2012 14:40:52 -0800 (PST)
Received: from mail-vw0-f43.google.com ([209.85.212.43]) (using TLSv1) by na3sys009aob111.postini.com ([74.125.148.12]) with SMTP ID DSNKT1VA8+uSflOg3toxz5EV0T+4M/2y+mCq@postini.com; Mon, 05 Mar 2012 14:40:52 PST
Received: by mail-vw0-f43.google.com with SMTP id fq11so4705944vbb.2 for <oauth@ietf.org>; Mon, 05 Mar 2012 14:40:51 -0800 (PST)
Received-SPF: pass (google.com: domain of bcampbell@pingidentity.com designates 10.52.68.241 as permitted sender) client-ip=10.52.68.241;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of bcampbell@pingidentity.com designates 10.52.68.241 as permitted sender) smtp.mail=bcampbell@pingidentity.com
Received: from mr.google.com ([10.52.68.241]) by 10.52.68.241 with SMTP id z17mr37980906vdt.97.1330987251549 (num_hops = 1); Mon, 05 Mar 2012 14:40:51 -0800 (PST)
Received: by 10.52.68.241 with SMTP id z17mr32527226vdt.97.1330987251213; Mon, 05 Mar 2012 14:40:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.171.172 with HTTP; Mon, 5 Mar 2012 14:40:21 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 5 Mar 2012 14:40:21 -0800
Message-ID: <CA+k3eCTTsqJZ7XzjA1qgxEJcyU0uio5EN2=yvs+h6ja1JEymiQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQl7364sipDrx+2dDv59FDTR6T+R2JyrxXGhbgAA3qCHTT2DFUlYb0kqYh66cr7OFD4tN6Mg
Subject: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2012 22:40:53 -0000

On casual reading of "The OAuth 2.0 Authorization Protocol: Bearer
Tokens"* I've encountered several people (including myself) who have
made the assumption that the name b64token implies that some kind of
base64 encoding/decoding on the access token is taking place between
the client and RS.

Digging a bit deeper in to "HTTP/1.1, part 7: Authentication"**,
however, I see that b64token is just an ABNF syntax definition
allowing for characters typically used in base64, base64url, etc.. So
the b64token doesn't define any encoding or decoding but rather just
defines what characters can be used in the part of the Authorization
header that will contain the access token.

Do I read this correctly?

If so, I feel like some additional clarifying text in the Bearer
Tokens draft might help avoid what is (based on my small sample) a
common point of misunderstanding.

Also, does the use of b64token implicitly limit the allowed characters
that an AS can use to construct a bearer access token?

Thanks,
Brian


* http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.1
** http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-18#section-2.1