Re: [OAUTH-WG] Bearer token DISCUSS items related to errors
Mike Jones <Michael.Jones@microsoft.com> Thu, 10 May 2012 00:42 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19F4221F846A for <oauth@ietfa.amsl.com>; Wed, 9 May 2012 17:42:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.903
X-Spam-Level:
X-Spam-Status: No, score=-3.903 tagged_above=-999 required=5 tests=[AWL=-0.305, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nA1dtKLJTbL6 for <oauth@ietfa.amsl.com>; Wed, 9 May 2012 17:42:31 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe004.messaging.microsoft.com [213.199.154.207]) by ietfa.amsl.com (Postfix) with ESMTP id BBAAB21F844B for <oauth@ietf.org>; Wed, 9 May 2012 17:42:30 -0700 (PDT)
Received: from mail64-am1-R.bigfish.com (10.3.201.252) by AM1EHSOBE006.bigfish.com (10.3.204.26) with Microsoft SMTP Server id 14.1.225.23; Thu, 10 May 2012 00:42:29 +0000
Received: from mail64-am1 (localhost [127.0.0.1]) by mail64-am1-R.bigfish.com (Postfix) with ESMTP id B98B54C03E4; Thu, 10 May 2012 00:42:29 +0000 (UTC)
X-SpamScore: -21
X-BigFish: VS-21(zz9371Ic85fhzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839hd25h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC105.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail64-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC105.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail64-am1 (localhost.localdomain [127.0.0.1]) by mail64-am1 (MessageSwitch) id 133661054745772_6494; Thu, 10 May 2012 00:42:27 +0000 (UTC)
Received: from AM1EHSMHS018.bigfish.com (unknown [10.3.201.229]) by mail64-am1.bigfish.com (Postfix) with ESMTP id 06BED2A0085; Thu, 10 May 2012 00:42:27 +0000 (UTC)
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS018.bigfish.com (10.3.206.21) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 10 May 2012 00:42:26 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.230]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.02.0298.005; Thu, 10 May 2012 00:42:25 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eran Hammer <eran@hueniverse.com>, "oauth@ietf.org WG (oauth@ietf.org)" <oauth@ietf.org>
Thread-Topic: Bearer token DISCUSS items related to errors
Thread-Index: Ac0uPyyFp+WxhSBGSfKzyUQ+QV5C9wAA4epA
Date: Thu, 10 May 2012 00:42:24 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943664CE5DF@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <0CBAEB56DDB3A140BA8E8C124C04ECA201026E40@P3PWEX2MB008.ex2.secureserver.net>
In-Reply-To: <0CBAEB56DDB3A140BA8E8C124C04ECA201026E40@P3PWEX2MB008.ex2.secureserver.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943664CE5DFTK5EX14MBXC283r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [OAUTH-WG] Bearer token DISCUSS items related to errors
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2012 00:42:37 -0000
I believe that you're intentionally oversimplifying things. My memory was that originally you objected to having the OAuth Errors Registry at all. Issue 11 was about getting it created in the first place, despite your objections. The compromise with you to get you to agree to it was that you intentionally excluded registration of errors resulting from OAuth flows E and F. I fully remember what a painful process it was to get you to agree to that much, if that's the "extensive discussion by the working group" that you're referring to. I wouldn't characterize the result as "working group consensus" so much as exhaustion.
As I see it as an individual, Russ's DISCUSS results from the simple observation that OAuth errors are not consistently registered across the OAuth specs. This may or not be changed, depending upon the result of the consensus call and a decision by the chairs. I'm fine with either outcome, but believe that the working group should earnestly consider his request.
We're almost done. I hope that after the consensus calls, this and the other open issues can be quickly addressed and we can finally achieve OAuth 2.0 RFCs.
-- Mike
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer
Sent: Wednesday, May 09, 2012 5:17 PM
To: oauth@ietf.org WG (oauth@ietf.org)
Subject: [OAUTH-WG] Bearer token DISCUSS items related to errors
Most people on this WG are not aware of all the details around the on-going IESG review and my objections to making additional changes to the core specification. Currently, these are the open issues preventing the bearer specification from being approved:
>From Russ Housley:
Section 3.1 specifies Error Codes. Alexey suggested the use
of an IANA registry for this field. Apparently there is already a
registry created by draft-ietf-oauth-v2. However this document does
not register values defined in this section in that registry. Please
explain why the IANA registry is not leveraged by this document.
>From Sean Turner:
s3.1: Shouldn't the character set restrictions on error, error_description,
and error_uri be in draft-ietf-oauth-v2?
>From Pete Resnick:
[ the use of a reserved query parameter 'access_token' ]
---
Sean Turner closed this issue today so it is no longer relevant. Basically, as currently drafted, there is no overlap between the parameters and the encoding reflects the transport restrictions of each specification. While I don't have a technical objection to limiting the character set of the error parameter in the core specification, I do object to making a breaking change at this point without any actual technical justification.
Peter Resnick's issue has nothing to do with this so I will not discuss it.
The only remaining issue is Russ' which SHOULD have been replied to with:
---
The use of the error registry in draft-ietf-oauth-v2 for the error codes defined in the bearer specification was extensively discussed by the working group and the special design committee appointed by the chairs. The working group consensus was that these errors, while similar is name and meaning to those used in the core specification, belong elsewhere. They relate to the protected resource namespace which is not covered by the core specification.
In addition, there was no working group consensus whether the error parameter used by the bearer specification was the preferred mechanism for relaying errors in protected resource access or HTTP authentication schemes (e.g. the MAC token scheme draft does not use such mechanism and opted to rely on simple HTTP status codes instead). At the time, the working group reached out to HTTPbis for guidance and did not receive a conclusive answer.
This issue was documented in the issues tracker [1] and was closed after extensive discussions. The working group's consensus was that if a registry is required, it should be defined within the bearer specification.
---
All Russ was asking for is an explanation. Instead, he was told there was no good reason and that it should be changed. That was clearly not an honest representation of clear working group consensus from over 10 months ago which was achieved at great effort.
EH
[1] http://trac.tools.ietf.org/wg/oauth/trac/ticket/11
- [OAUTH-WG] Bearer token DISCUSS items related to … Eran Hammer
- Re: [OAUTH-WG] Bearer token DISCUSS items related… Mike Jones
- Re: [OAUTH-WG] Bearer token DISCUSS items related… Eran Hammer
- Re: [OAUTH-WG] Bearer token DISCUSS items related… Peter Saint-Andre
- Re: [OAUTH-WG] Bearer token DISCUSS items related… Eran Hammer
- Re: [OAUTH-WG] Bearer token DISCUSS items related… Eran Hammer