Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
Justin Richer <jricher@mitre.org> Fri, 15 June 2012 18:16 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6339F21F854F for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.298
X-Spam-Level:
X-Spam-Status: No, score=-6.298 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d+FluYgQzmNd for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:16:21 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 1D42021F859B for <oauth@ietf.org>; Fri, 15 Jun 2012 11:16:20 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 459F621B1B08; Fri, 15 Jun 2012 14:16:17 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 2AC0721B1B1B; Fri, 15 Jun 2012 14:16:17 -0400 (EDT)
Received: from [129.83.50.12] (129.83.31.51) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.283.3; Fri, 15 Jun 2012 14:16:16 -0400
Message-ID: <4FDB7BDF.60700@mitre.org>
Date: Fri, 15 Jun 2012 14:15:59 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <9dbeab60-8fe4-4828-9c52-d7af95378f4c@email.android.com> <0ec59f35-4a66-4719-adf3-114dab0d1d48@email.android.com> <40240328-0247-4278-BB7B-BE89AE130076@ve7jtb.com> <a55ad34e52e0f9755e548106d27c4b8c@treenet.co.nz> <4FDB593B.4080508@aol.com>, <4E1F6AAD24975D4BA5B16804296739436654ABB1@TK5EX14MBXC283.redmond.corp.microsoft.com> <DDC84727-1B5F-48AD-AC3F-DB9700838955@hueniverse.com> <4E1F6AAD24975D4BA5B16804296739436654B001@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436654B001@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="------------060406020309070103080104"
X-Originating-IP: [129.83.31.51]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 18:16:24 -0000
Why not percent encoding for just colon and percent? -- Justin On 06/15/2012 01:30 PM, Mike Jones wrote: > > I was asked a question off-list, which I think is worth answering > on-line. The question was: Why the Tab character, rather than > %-encoding? > > Introducing % encoding would break all existing OAuth 2.0 deployments > using HTTP Basic. A non-starter... > > Tab is legal in HTTP Basic but not in URLs or presently client_ids. > It's also a character that can be visibly rendered in an acceptable > manner for debugging. The other choices were CR and LF, which are > also legal in HTTP Basic but wouldn't render very nicely. ;-) > > Cheers, > > -- Mike > > *From:*Mike Jones > *Sent:* Friday, June 15, 2012 9:30 AM > *To:* 'Eran Hammer' > *Cc:* George Fletcher; oauth@ietf.org > *Subject:* RE: [OAUTH-WG] Dynamic clients, URI, and stuff Re: > Discussion needed on username and password ABNF definitions > > I agree with Eran that I prefer that this not be underspecified and > that an encoding for just colon for just Basic will suffice. > > I'd suggested the encoding s/:/<tab>/g as a strawman. Are there any > other encoding proposals? > > -- Mike > > *From:*Eran Hammer [mailto:eran@hueniverse.com] > <mailto:[mailto:eran@hueniverse.com]> > *Sent:* Friday, June 15, 2012 9:26 AM > *To:* Mike Jones > *Cc:* George Fletcher; oauth@ietf.org <mailto:oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: > Discussion needed on username and password ABNF definitions > > We should not leave this under specified. Picking an encoding for just > Basic and just colon is simple enough. > > EH > > On Jun 15, 2012, at 19:17, "Mike Jones" <Michael.Jones@microsoft.com > <mailto:Michael.Jones@microsoft.com>> wrote: > > Based on use cases I'm seeing, believe it's important to allow the > use of URIs as client_id values (which means allowing ":" in the > client_id string). I'm OK with us either specifying a specific > encoding when using them in Basic or simply saying that "When > client_ids are used with HTTP Basic that contain characters such > as ":" not allowed in HTTP Basic usernames, then the participants > will need to agree upon a method of encoding the client_id for use > with HTTP Basic. > > -- Mike > > *From:*oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> > [mailto:oauth-bounces@ietf.org] > <mailto:[mailto:oauth-bounces@ietf.org]> *On Behalf Of *George > Fletcher > *Sent:* Friday, June 15, 2012 8:48 AM > *To:* oauth@ietf.org <mailto:oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: > Discussion needed on username and password ABNF definitions > > +1 for a simple encoding and allowing ':' in the client_id > > On 6/13/12 6:53 PM, Amos Jeffries wrote: > > On 14.06.2012 06:40, John Bradley wrote: > > That would probably work as well. That is why I am not particularly > concerned about excluding the : > > We originally used the URI itself, mostly for convenience of > debugging, but there are other potential options. > > The authorization server needs to compare the client_id and the > redirect uri. But it could compare the hash with not much more work. > Also a sha256 hash is probably longer than the uri it is hashing. > > I am not super concerned with being able to have : in the client_id > > John B. > > > > If I'm following all these threads correctly the only explicit > problem with URI in client_id is HTTP username field being : > terminated. > As such it does not have to be a hash per-se, just an encoding > that removes ":" and other reserved characters from the on-wire > form *when sent via HTTP*. > > AYJ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… John Bradley
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… John Bradley
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Amos Jeffries
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Jianhua Shao
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Eran Hammer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… George Fletcher
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Brian Campbell
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Eran Hammer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer