Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)

Evan Gilbert <uidude@google.com> Wed, 05 May 2010 17:07 UTC

Return-Path: <uidude@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1644D3A6B96 for <oauth@core3.amsl.com>; Wed, 5 May 2010 10:07:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.72
X-Spam-Level:
X-Spam-Status: No, score=-105.72 tagged_above=-999 required=5 tests=[AWL=0.256, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nOuaTAUfk6pn for <oauth@core3.amsl.com>; Wed, 5 May 2010 10:07:20 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 10C8D3A6BCE for <oauth@ietf.org>; Wed, 5 May 2010 10:07:11 -0700 (PDT)
Received: from kpbe17.cbf.corp.google.com (kpbe17.cbf.corp.google.com [172.25.105.81]) by smtp-out.google.com with ESMTP id o45H6t0f003526 for <oauth@ietf.org>; Wed, 5 May 2010 10:06:55 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1273079216; bh=ivch+cVho4NqxE91Pddk/QNR28s=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=KrmyOSB1pJUp7IqnhEXJjTP5MgtGFnZ70yKPGQO2urYAgVEkTkmKA46ScvBc42v38 lFBszp2ETEa+rUURtBT2A==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=QY0Mgpwpb7fNQ1c+7S/ttS8F0Qgrw/vnR2AzzXDM6XA7pqQW/KVOanUa9q/tqBxDG uLK0uvTYp2Tm97fg83omA==
Received: from qyk34 (qyk34.prod.google.com [10.241.83.162]) by kpbe17.cbf.corp.google.com with ESMTP id o45H64i4026689 for <oauth@ietf.org>; Wed, 5 May 2010 10:06:54 -0700
Received: by qyk34 with SMTP id 34so6389698qyk.10 for <oauth@ietf.org>; Wed, 05 May 2010 10:06:54 -0700 (PDT)
Received: by 10.224.27.161 with SMTP id i33mr1093765qac.207.1273079213789; Wed, 05 May 2010 10:06:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.7.136 with HTTP; Wed, 5 May 2010 10:06:33 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723439323D0DB0@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <4BD8869A.2080403@lodderstedt.net> <s2zc334d54e1004281425x5e714eebwcd5a91af593a62ac@mail.gmail.com> <v2j68fba5c51004282044o3a5f96cfucb1157d3884d8cd2@mail.gmail.com> <4BD9E1E3.7060107@lodderstedt.net> <7C01E631FF4B654FA1E783F1C0265F8C4A3EF0B0@TK5EX14MBXC115.redmond.corp.microsoft.com> <z2yf5bedd151004291440g17693f8du9e19a649bef925e4@mail.gmail.com> <w2odaf5b9571004291509x8895a73k384a4b4ddb12b794@mail.gmail.com> <20100430105935.20255m8kdythy6sc@webmail.df.eu> <90C41DD21FB7C64BB94121FBBC2E723439323D0DB0@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Evan Gilbert <uidude@google.com>
Date: Wed, 05 May 2010 10:06:33 -0700
Message-ID: <AANLkTilA40XmbIShf3m139IodJRCWUvAouyuHbWcgga7@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="00c09ffb50c54f139e0485dbdae8"
X-System-Of-Record: true
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2010 17:07:22 -0000

On Wed, May 5, 2010 at 8:28 AM, Eran Hammer-Lahav <eran@hueniverse.com>wrote:

> I'll add something to the draft and we'll discuss it. There is enough
> consensus on a single JSON response format.


Responses that are returned via a browser URL should
be application/x-www-form-urlencoded. These parameters are standard to parse
in any HTTP handling library and JSON only adds complexity and external
library requirements.

I'm not positive we need to support JSON at all.

 But if we support both JSON and application/x-www-form-urlencoded, I think
the pattern should be:
- application/x-www-form-urlencoded for requests/responses in a browser
- JSON otherwise (including requests)



>
> EHL
>
>
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> > Of Torsten Lodderstedt
> > Sent: Friday, April 30, 2010 2:00 AM
> > To: Brian Eaton
> > Cc: oauth@ietf.org
> > Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
> > (Proposal)
> >
> >
> > Zitat von Brian Eaton <beaton@google.com>:
> >
> > > On Thu, Apr 29, 2010 at 2:40 PM, Mike Moore <blowmage@gmail.com>
> > wrote:
> > >> On Thu, Apr 29, 2010 at 2:49 PM, Yaron Goland <yarong@microsoft.com>
> > wrote:
> > >>>
> > >>> Can we please just have one format, not 3? The more choices we give
> > >>> the more interoperability suffers.
> > >
> > > Yes.  The number of parsers needed to make a working system is
> > > important.  The spec has too many already.
> > >
> > > I'd like to see authorization servers returning JSON or XML, since
> > > that's what the resource servers are doing.
> > >
> > > ...and given a choice between JSON and XML, I'd pick JSON.
> > >
> >
> > I agree. At Deutsche Telekom, we try to align our authorization APIs with
> the
> > APIs provided by the resource servers. Authorization is "just" a small,
> but
> > important, portion of the overall process and aligning it with the rest
> > increases acceptance and decreases error rate.
> >
> > None of the APIs we provide uses form encoding, most of them use JSON,
> > some XML.
> > Based on that observation I would like to see at least JSON support in
> OAuth.
> > So JSON as the only would be fine with me.
> >
> > My proposal is based on the observation that the WG did not come to a
> > consensus about the one and only format.
> >
> > I have collected the following opinions from the thread:
> >
> > pro additional support for JSON and XML - Marius Scurtescu, John Jawed,
> > Richard Barnes, Brian Eaton, Torsten Lodderstedt pro additional support
> for
> > JSON - Dick Hardt (initiated the thread), Joseph Smarr still support
> > application/x-www-form-urlencoded (unclear whether
> > exclusively) - David Recordon, Gaurav Rastogi one format only (preference
> > unclear) - Yaron Goland JSON as the only format (if forced to decide for
> a
> > single format) - Brian Eaton, Torsten Lodderstedt JSON as the only format
> -
> > James Manger, Robert Sayre application/x-www-form-urlencoded as the
> > only format - Mike Moore JSON for responses as well - Marius Scurtescu
> >
> > Here are some representative comments from the thread:
> >
> > Joseph Smarr - "JSON is already widely supported (presumably including by
> > most APIs that you're building OAuth support to be able to access!"
> >
> > David Recordon - "it's drastically more complex for environments (like
> > embedded hardware) which doesn't support JSON."
> >
> > Paul C. Bryan - "I'm struggling to imagine hardware that on the one hand
> > would support OAuth, but on the other would be incapable of supporting
> > JSON..."
> >
> > Gaurav Rastogi - "There are enough number of small embedded software
> > stack where JSON is not an option."
> >
> > So we have at least 9 votes pro JSON, but also 1 vote for
> application/x-www-
> > form-urlencoded only.
> >
> > How shall we proceed? Can we come to a consensus?
> >
> > regards,
> > Torsten.
> >
> > > Cheers,
> > > Brian
> > > _______________________________________________
> > > OAuth mailing list
> > > OAuth@ietf.org
> > > https://www.ietf.org/mailman/listinfo/oauth
> > >
> >
> >
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>