IETF Logo Mail Archive

Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 24 April 2010 07:45 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E3D213A6911 for <oauth@core3.amsl.com>; Sat, 24 Apr 2010 00:45:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.051
X-Spam-Level:
X-Spam-Status: No, score=-1.051 tagged_above=-999 required=5 tests=[AWL=-0.661, BAYES_20=-0.74, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vfYWg0EAnVgG for <oauth@core3.amsl.com>; Sat, 24 Apr 2010 00:45:05 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.32]) by core3.amsl.com (Postfix) with ESMTP id 907F03A6403 for <oauth@ietf.org>; Sat, 24 Apr 2010 00:45:05 -0700 (PDT)
Received: from p4fff2b78.dip.t-dialin.net ([79.255.43.120] helo=[127.0.0.1]) by smtprelay04.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1O5a2n-0003OD-4v; Sat, 24 Apr 2010 09:44:53 +0200
Message-ID: <4BD2A172.2070401@lodderstedt.net>
Date: Sat, 24 Apr 2010 09:44:50 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <20100419134825.134951nuzvi35hk4@webmail.df.eu> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Apr 2010 07:45:07 -0000

Am 20.04.2010 17:10, schrieb Eran Hammer-Lahav:
> There seems to be support for this idea with some concerns about complexity. Someone needs to propose text for this including defining the request parameter and schema of the various reply formats.
>
>    

I would like to prepare some text. Beforehand, I would like to discuss 
some ideas in order to come to a rough consensous.

Basically, I would suggest to only consider cases where the 
implementation platform does not directly support URI query parameter 
decoding. From my point of view, this are all HTTP responses a client 
will need to process. All request parameters, e.g. redirect back to the 
web server in the web server flow, will still be delivered as 
"application/x-www-form-urlencoded" only, since the web container 
automatically prepares this parameters for easy access in the web 
application.

I have compiled a list of candidates:

3.5.1.  User-Agent Flow
3.5.1.1.  Client Requests Authorization

fragement of the redirect URL. Change this to base64 encoded XML/JSON, 
desired format as request parameter

3.5.2.  Web Server Flow
3.5.2.2.  Client Requests Access Token

response formats: application/x-www-form-urlencoded, application/xml, or 
application/json
desired format as request parameter
response mime type indicates response format

3.5.3.  Device Flow
3.5.3.1.  Client Requests Authorization

proposal see 3.5.2.2.  Client Requests Access Token

3.5.3.2.  Client Requests Access Token

proposal see 3.5.2.2.  Client Requests Access Token

3.6.1.  Username and Password Flow
3.6.1.1.  Client Requests Access Token

proposal see 3.5.2.2.  Client Requests Access Token

3.7.1.  Client Credentials Flow
3.7.1.1.  Client Requests Access Token

proposal see 3.5.2.2.  Client Requests Access Token

3.7.2.  Assertion Flow
3.7.2.1.  Client Requests Access Token

proposal see 3.5.2.2.  Client Requests Access Token

4.  Refreshing an Access Token

proposal see 3.5.2.2.  Client Requests Access Token

Any comments?

regards,
Torsten.
> EHL
>
>    
>> -----Original Message-----
>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
>> Sent: Monday, April 19, 2010 4:48 AM
>> To: Eran Hammer-Lahav
>> Cc: Dick Hardt; OAuth WG
>> Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
>>
>>
>>      
>>> We can also offer both and define a client request parameter (as long
>>> as the server is required to make at least one format available).
>>>        
>> +1 on this
>>
>> regards,
>> Torsten.
>>
>>      
>>> EHL
>>>
>>>        
>>>> -----Original Message-----
>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>> Behalf Of Dick Hardt
>>>> Sent: Sunday, April 18, 2010 9:30 PM
>>>> To: OAuth WG
>>>> Subject: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
>>>>
>>>> The AS token endpoint response is encoded as application/x-www-form-
>>>> urlencoded
>>>>
>>>> While this reuses a well known and understood encoding standard, it
>>>> is uncommon for a client to receive a message encoded like this. Most
>>>> server responses are encoded as XML or JSON. Libraries are NOT
>>>> reedily available to parse application/x-www-form-urlencoded results
>>>> as this is something that is typically done in the web servers
>>>> framework. While parsing the name value pairs and URL un-encoding
>>>> them is not hard, many developers have been caught just splitting the
>>>>          
>> parameters and forgetting to URL decode the token.
>>      
>>>> Since the token is opaque and may contain characters that are
>>>> escaped, it is a difficult bug to detect.
>>>>
>>>> Potential options:
>>>>
>>>> 1) Do nothing, developers should read the specs and do the right thing.
>>>>
>>>> 2) Require that all parameters are URL safe so that there is no
>>>> encoding issue.
>>>>
>>>> 3) Return results as JSON, and recommend that parameters be URL safe.
>>>>
>>>> -- Dick
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>          
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>        
>>
>>
>>      
>

v2.23.0 | Report a Bug | By Email