Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
Marius Scurtescu <mscurtescu@google.com> Thu, 20 May 2010 00:43 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 68BB83A69E6 for <oauth@core3.amsl.com>; Wed, 19 May 2010 17:43:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.483
X-Spam-Level:
X-Spam-Status: No, score=-104.483 tagged_above=-999 required=5 tests=[AWL=-1.106, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EC5JhGvXfKOe for <oauth@core3.amsl.com>; Wed, 19 May 2010 17:43:38 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 776943A63C9 for <oauth@ietf.org>; Wed, 19 May 2010 17:43:38 -0700 (PDT)
Received: from wpaz13.hot.corp.google.com (wpaz13.hot.corp.google.com [172.24.198.77]) by smtp-out.google.com with ESMTP id o4K0hOCV021166 for <oauth@ietf.org>; Wed, 19 May 2010 17:43:25 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1274316208; bh=jVcVS+M+NETkc45R2QxkE5PA9ws=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=T6WCdzcxecvxPYdXxdW7ubKviZ+DxFT4Ah9x7OtThAv2d0EnOh/lrPNrywijdArnq 8dm5esxLtsNzls3InX83A==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=cuBidma+TYorksi9XckqL4i7MbBwO7ozfbjjRoDWNOmHzyxiY1uCN77gBOASW+M2p TVzqwlumh1XCH+h5OWt9Q==
Received: from pxi8 (pxi8.prod.google.com [10.243.27.8]) by wpaz13.hot.corp.google.com with ESMTP id o4K0hMYi024253 for <oauth@ietf.org>; Wed, 19 May 2010 17:43:23 -0700
Received: by pxi8 with SMTP id 8so3413569pxi.30 for <oauth@ietf.org>; Wed, 19 May 2010 17:43:22 -0700 (PDT)
Received: by 10.140.58.7 with SMTP id g7mr6939541rva.37.1274316202218; Wed, 19 May 2010 17:43:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.124.2 with HTTP; Wed, 19 May 2010 17:43:02 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3B699132@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <ADB082E11CEB5D49A3CC03E49DCECE02378CB8A679@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E72343B3B698808@P3PW5EX1MB01.EX1.SECURESERVER.NET> <7C01E631FF4B654FA1E783F1C0265F8C4A42BFCC@TK5EX14MBXC117.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B69895B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimiSqQjOsxDMxFGjIkP3xDQVHge6OJUPu9CYxHf@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B6989D0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <09A6EF98-7406-43D8-9B1C-C16E38CA35D1@gmail.com> <7C01E631FF4B654FA1E783F1C0265F8C4A4312FC@TK5EX14MBXC117.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B699132@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 19 May 2010 17:43:02 -0700
Message-ID: <AANLkTinlwZpM4PBHSR1t1whWR2p38PHq9VpcJw4p77vs@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2010 00:43:40 -0000
On Mon, May 17, 2010 at 11:26 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > Now, this is useful. Yes, it is very useful. One minor correction, forms do support multi-value fields. Also, XML supports name spaces. > I think this raises a very good point. Unless we expect the server response to always be just key/value pairs (regardless of the chosen serialization), we cannot support multiple formats. If we decide on limiting to a flat key/value pairs, the value of multiple formats is significantly reduced (but still somewhat useful). Since we cannot have pure JSON I think we have to limit to flat key/value pairs. Only direct responses are JSON, form/url encoded still has to be used: - direct requests - through browser requests - through browser responses - through browser fragment responses Considering the above, and also that: - JSON will complicate library implementations because of dependencies - clients using libraries are completely isolated from direct response formats I still don't see the point of using JSON. Even if a client implements everything from scratch and already uses JSON (so no dependency problems) it still has to also support form-encoded as well. Frameworks may help to some extent with query parameters (but if that's the case, then most likely the framework can help with all form-encoded cases), but there still are the other two cases. Can we still discuss this tomorrow? Marius > > EHL > >> -----Original Message----- >> From: Yaron Goland [mailto:yarong@microsoft.com] >> Sent: Monday, May 17, 2010 2:58 PM >> To: Kris Selden; Eran Hammer-Lahav >> Cc: OAuth WG (oauth@ietf.org) >> Subject: RE: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) >> >> My concerns with C are twofold. >> >> First, it's unclear to me how we will successfully reason about OAuth's data >> model when the three proposed formats all have mutually incompatible data >> models? >> >> | Forms | JSON | XML >> Nesting | NO | YES | YES >> Multi-Value Fields | NO | YES| NO[1] >> Typing | NO | YES | NO[2] >> Namespaces | NO | NO | NO >> Objects | NO | YES | YES[3] >> >> [1] There is no formal definition in XML for multi-value fields although one >> can build them using nested elements [2] XML does have XML schema but >> most parsers don't natively support it [3] XML actually has two different kinds >> of objects, elements and attributes. >> >> Will we dumb down JSON and XML to the point where they match Forms? In >> other words, per Kris's mail, is OAuth's data model just name/value pairs? >> That can work but then it calls into question why the heck we bothered >> supporting JSON or XML in the first place if we are essentially just using them >> as Forms? It seems almost cruel to dangle the richer data models of JSON and >> XML in front of people and then pull them back with a restriction that we >> only do name/value pairs. >> >> Will we support JSON's data model? In which case do we intend to add >> typing, arrays, etc. to forms and ban attributes and namespaces from XML? >> >> Will we support XML's data model? In which case do we intend to add name >> spacing and attributes to forms and JSON while banning all types but string >> along with arrays in JSON? >> >> Or maybe we'll simply assert the existence of three different worlds where >> every extension is defined in a completely different context independently >> of each other? So every extension to OAuth has to, in essence, be defined >> three separate times? >> >> Second, as a burden on server implementers we are requiring that they >> possess and test three different parsers. I think this is unnecessarily onerous >> and all but guaranteed to lead to interoperability issues as server >> implementers will focus primarily on the particular syntaxes they think will >> see the most use and give less attention to other others. This is an inevitable >> trade off given the difficulties of fully testing even basic formats. >> >> Thanks, >> >> Yaron >> >> >> > -----Original Message----- >> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> > Of Kris Selden >> > Sent: Friday, May 14, 2010 1:29 PM >> > To: Eran Hammer-Lahav >> > Cc: OAuth WG (oauth@ietf.org) >> > Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) >> > >> > The only reason I've heard was interoperability but it is always >> > stated as patently obvious without a given reasoning. My assumption is >> > this is concern of OAuth 2 client library authors who don't want to >> > depend on 3 parsing libraries but want to state they can inter-operate with >> any OAuth 2 provider. >> > >> > I have a suggestion to mitigate the client library dependency issue, >> > an argument for why C is more "interoperable" (even why the server >> > should be not be required to support all 3 formats), comments on >> > encoding, and percent encoding issues with OAuth 1. >> > >> > Basically, what OAuth providers return are key/value pairs and this >> > discussion is really an issue of serialization. >> > >> > Instead of depending on libraries, client providers could have a >> > interface for serialization that takes a mime type and string and >> > returns a structure of key value pairs. That way if I've already >> > chosen libyajl (which it is, even though it is UTF8 only) as my favorite JSON >> library, I can plug it in. >> > >> > Chances are your client library is going to still be more bloated than >> > me just writing to a testable spec for the flows I need. Maybe even >> > unusable simply because I'm using an API from an application on an >> > evented server and your library uses blocking I/O for making the requests. >> > >> > On to why C is more interoperable and why as a consumer having it just >> > be one format, doesn't help me unless I'm only using JSON APIs, it >> > only helps the OAuth 2 client library developer. >> > >> > Let's say API A supports JSON, API B supports XML and API C supports >> > both (as many APIs do, oh no the horror of the QA matrix). >> > >> > If I'm consuming API A, be nice if the OAuth 2 endpoint used JSON. If >> > I'm consuming API B would be nice if the endpoint supported XML. If I >> > needed both A and B, I need 2 parsers anyways, so what the endpoint >> > did doesn't matter but I would pick JSON. If A and C I would want >> > JSON. If B and C I would want XML. >> > >> > On the server side, would be nice if a service could match the OAuth >> > endpoint format. I don't really see a need to support all 3 since in >> > order to use my JSON only API you need a JSON parser anyway. >> > >> > There is little point to an API support multiple formats as many do if >> > the OAuth endpoints require JSON only. >> > >> > If my service is just a REST storage API, accepting binary files like >> > images, I just want whatever the simplest to parse in which case I >> > would like form- encoded. I really don't see why people think that >> > format is complicated, been in use a long time, there is lots of >> > library support, and is more trivial to write your own parser than both JSON >> and XML. >> > >> > The problem with application/x-www-form-urlencoded that was >> > complicated in OAuth 1, had to do with signature base strings because >> > some characters could be optionally encoded and various libraries did >> > this. Here we are talking about key/value pair serialization that HTML >> > forms have been using for a long time. The percent encoding is of >> > bytes and the bytes character set is defined by the charset in the >> > response header. Would not matter if some characters were optionally >> percent encoded, they would still be decoded. >> > >> > While a lot of clients may not have an >> > application/x-www-form-urlencoded parser, this problem is way >> > overblown. Most have a percent-encoding decoder, needed just to parse >> > URLs. Splitting on & and = then replacing + with space is trivial. >> > This can easily be done in JavaScript, which is where I suspect some of the >> JSON only momentum is coming from. >> > >> > Not all JSON libraries handle the NULL position UTF detection in the >> > RFC 4627, some just assume UTF8 only. I'm guessing supporting the >> > other Unicode transfer encodings isn't all that popular since UTF8 is a >> superset of ASCII. >> > >> > Even though JSON maybe the way of the future, more SDKs like the >> > iPhone come with a XML parser and you'd need to find a third party >> > JSON parser or roll your own. >> > >> > As for the QA matrix, APIs that have handled multiple formats, have >> > one output structure that is serialized to different formats which >> > helps mitigate testing complexity. Test the one output, then test that >> > that structure can be serialized to the supported formats. You may >> > make that one structure JSON, then have a filter that can translate it to >> XML. >> > >> > For OAuth, I think it would increase interoperability if the output >> > was considered key/value string pairs and multiple serialization >> > formats were available, requested through the Accept header. >> > >> > Or I guess you can make it so OAuth is only for JSON APIs because JSON >> > is the future. Though I seem to remember that being said about XML not >> long ago. >> > Maybe I'm getting old. I guess I shouldn't use RSS and Atom feeds >> > because they are so last year. >> > >> > I'm for option C plus relaxing the all 3 formats support to >> > recommended but not required. >> > >> > On May 13, 2010, at 4:43 PM, Eran Hammer-Lahav wrote: >> > >> > > Can you give a reason why you are objecting to C. >> > > >> > > EHL >> > > >> > >> -----Original Message----- >> > >> From: Robert Sayre [mailto:sayrer@gmail.com] >> > >> Sent: Thursday, May 13, 2010 4:27 PM >> > >> To: Eran Hammer-Lahav >> > >> Cc: Yaron Goland; OAuth WG (oauth@ietf.org) >> > >> Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) >> > >> >> > >> On Thu, May 13, 2010 at 5:14 PM, Eran Hammer-Lahav >> > >> <eran@hueniverse.com> wrote: >> > >>> There is clearly no consensus for either A or B. There was mostly >> > >>> no objection to C, and the reason given by most of those who >> > >>> objected was >> > >> client complexity with the current proposal solves. >> > >> >> > >> My objection to C was that your examples were buggy. So, to be >> > >> tediously >> > >> explicit: >> > >> >> > >> B, then A. Not C. >> > >> >> > >> - Rob >> > > _______________________________________________ >> > > OAuth mailing list >> > > OAuth@ietf.org >> > > https://www.ietf.org/mailman/listinfo/oauth >> > > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… DeWitt Clinton
- [OAUTH-WG] Open Issues: Group Survey (respond by … Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… David Recordon
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Dick Hardt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… David Waite
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Mark Mcgloin
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Richer, Justin P.
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Dick Hardt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Mike Moore
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yutaka OIWA
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yutaka OIWA
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Vivek Khurana
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Greg Brail
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Kris Selden
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Evan Gilbert
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H