Re: [OAUTH-WG] Should registration request be form-urlencoded or JSON?

Tim Bray <twbray@google.com> Mon, 04 February 2013 21:51 UTC

Return-Path: <twbray@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E552921F887F for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 13:51:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dcroLdmFFncN for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 13:51:40 -0800 (PST)
Received: from mail-ia0-x233.google.com (mail-ia0-x233.google.com [IPv6:2607:f8b0:4001:c02::233]) by ietfa.amsl.com (Postfix) with ESMTP id 3970E21F8869 for <oauth@ietf.org>; Mon, 4 Feb 2013 13:51:32 -0800 (PST)
Received: by mail-ia0-f179.google.com with SMTP id x24so8560014iak.38 for <oauth@ietf.org>; Mon, 04 Feb 2013 13:51:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=mS5xXPejXW7wL1k1Gs+7/4JoCyPgSYBcuADfcEiEru4=; b=GKTDsNzJ7c/9A7GMJ7lVd1ATe7qeNyuQwxDrGEMSViQolnqeu2KtUZikKz8/ybZsUb W/MDLuQX9kAtmuGilGLPpNTeM4w4ERJVwcZf65UIT7jRds3d3/z9KIZf9TC/XMeOdsYW 3qA72ILirG9sl1SY+s5PVQmGA8tY8DNJUmfxwHQHZOnFroL7LDeVZKnlOc+FdhnoCiDM haCSnPMaFbv1FQgHr8aXOpSS5HB2KF8B8OAMiG5Ankn+xywG5fTMH3rgGGMldQDD6lUO uw4H0O/5WYcLMj6VEqqDSfs5S087bOawyXbmRWVBHDdDG7POw8eMdvn2SEjgSphcfPAD /kkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=mS5xXPejXW7wL1k1Gs+7/4JoCyPgSYBcuADfcEiEru4=; b=ZtgSjMkxL7LQKPMjaxEm8a9oG4rSMNHmgGRNiWIEG8cOq0aWM2d4xQel+2HlKZM/NU L1iL+WKv0WBUP5FiJ7Iv7nC8mCp7YmhHnza0vbdMfF7O5/f0jY2LvAHsoQDSf2f0INmc V9uxN6lGR8Nnj+LtJzYaFcKrGi3GDvCqqgl17ovE4kLHAxzIZfDRjbh27wLGB6w+tXPU t1lwfDp4pMmiHbvE9KX9qEQk5LcGeJZjU1zBOI7CeLOvm8NcSQ9iniP65ekNb6qB2wOO powYpgikaYhUbBSCbqTACD1PgYg3RGORFsXaU0fdIokwZsGWHuoQUQ7OY3IxDrX0nbFm esOA==
X-Received: by 10.50.189.193 with SMTP id gk1mr9406137igc.87.1360014691710; Mon, 04 Feb 2013 13:51:31 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.63.11 with HTTP; Mon, 4 Feb 2013 13:51:00 -0800 (PST)
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394367411337@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943674111BE@TK5EX14MBXC284.redmond.corp.microsoft.com> <B33BFB58CCC8BE4998958016839DE27E068866A0@IMCMBX01.MITRE.ORG> <4E1F6AAD24975D4BA5B168042967394367411337@TK5EX14MBXC284.redmond.corp.microsoft.com>
From: Tim Bray <twbray@google.com>
Date: Mon, 4 Feb 2013 13:51:00 -0800
Message-ID: <CA+ZpN26np0h+wkv5vJeSofCpVi3cwxaiDaOj0aWn3bGuw29D0A@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=14dae93410d396b92204d4ed189f
X-Gm-Message-State: ALoCoQmxcaQAXUstMxcEvpczzx+A3JDf4vgx6YvXd+Nq+NhD4CxFADwA38I+JkFB5SYsnA/C2bLXg52qYwRTYvoIYR1zC+yRgHWc+uFQO/IDwyaFXnjGvLlzkNex+0ZoMKzZAD7SR9z8g/879jPblAMfzkSjELvmts9epmBg0Ut/migwCvp0I5te5/299EEvY3JcZEPxYHIs
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Should registration request be form-urlencoded or JSON?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Feb 2013 21:51:43 -0000

>From the point of view of developer experience, meh, the degree of
difficulty of generating/parsing JSON & form/url is about the same.

JSON has the advantage that it forces you to use UTF-8, and is more
pleasant to debug when things get weird.

For my money, anything that forces anyone to use UTF-8 is A Good Thing.  -T

On Mon, Feb 4, 2013 at 1:46 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  I’m not proposing that we boil the ocean.  “Diving in with both feet and
> define a full RESTful API with all appropriate verbs and CRUD ops” is an
> almost sure way to build a complicated spec, most of which isn’t needed,
> and to have it take a long time.****
>
> ** **
>
> Everything in the current OpenID Registration spec is motivated by an
> actual use case.  Stuff that isn’t isn’t in the spec.  That’s nearly true
> of the closely-related OAuth Registration spec, with what I believe to be a
> few exceptions.  (Yes, we should harmonize those differences – hopefully
> based upon real use cases.)****
>
> ** **
>
> I was only proposing that we answer the single question of whether we’re
> using the right input format or not.  I hope we can keep the discussion to
> that topic and not use it to generate a passel of new work items as a side
> effect.****
>
> ** **
>
>                                                                 -- Mike***
> *
>
> ** **
>
> *From:* Richer, Justin P. [mailto:jricher@mitre.org]
> *Sent:* Monday, February 04, 2013 1:34 PM
> *To:* Mike Jones
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Should registration request be form-urlencoded
> or JSON?****
>
> ** **
>
> For history, the original UMA registration spec from whence this all grew
> was JSON-in and JSON-out. It's feeling like this is coming back around. **
> **
>
> ** **
>
> Pro:****
>
>  - more REST-ish (particularly if we use real REST style like URL
> templates and verbs)****
>
>  - consistent data structures****
>
>  - possible use of rich client data structures like lists and sub-objects*
> ***
>
> ** **
>
> Con:****
>
>  - unlike the rest of OAuth, which is form-in, JSON-out****
>
>  - major change from existing code****
>
>  - possible overhead for existing OAuth libraries which haven't had to
> deal with JSON from clients****
>
> ** **
>
> ** **
>
> ** **
>
> If we're going to do this, we should dive in with both feet and define a
> full RESTful API with all appropriate verbs and CRUD ops, and define it at
> the OAuth DynReg level as well.****
>
> ** **
>
> ** **
>
> -- Justin****
>
> ** **
>
> On Feb 4, 2013, at 4:25 PM, Mike Jones <Michael.Jones@microsoft.com>****
>
>  wrote:****
>
>
>
> ****
>
> Now that we're returning the registration state as JSON, it's pretty
> inconsistent for the registration request to instead be form-url-encoded.
> The case can be made for switching to JSON now - especially in light of
> possibly wanting to convey some structured information at registration time.
> ****
>
> I realize that this is a big change, but if we're going to do it, we
> should do it now.****
>
> As a precedent, apparently SCIM requests are JSON, rather than
> form-url-encoded.****
>
>  ****
>
>                                                                 -- Mike***
> *
>
>  ****
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
> ** **
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>