IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions

Justin Richer <jricher@mitre.org> Fri, 15 June 2012 18:16 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6339F21F854F for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.298
X-Spam-Level:
X-Spam-Status: No, score=-6.298 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d+FluYgQzmNd for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:16:21 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 1D42021F859B for <oauth@ietf.org>; Fri, 15 Jun 2012 11:16:20 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 459F621B1B08; Fri, 15 Jun 2012 14:16:17 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 2AC0721B1B1B; Fri, 15 Jun 2012 14:16:17 -0400 (EDT)
Received: from [129.83.50.12] (129.83.31.51) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.283.3; Fri, 15 Jun 2012 14:16:16 -0400
Message-ID: <4FDB7BDF.60700@mitre.org>
Date: Fri, 15 Jun 2012 14:15:59 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <9dbeab60-8fe4-4828-9c52-d7af95378f4c@email.android.com> <0ec59f35-4a66-4719-adf3-114dab0d1d48@email.android.com> <40240328-0247-4278-BB7B-BE89AE130076@ve7jtb.com> <a55ad34e52e0f9755e548106d27c4b8c@treenet.co.nz> <4FDB593B.4080508@aol.com>, <4E1F6AAD24975D4BA5B16804296739436654ABB1@TK5EX14MBXC283.redmond.corp.microsoft.com> <DDC84727-1B5F-48AD-AC3F-DB9700838955@hueniverse.com> <4E1F6AAD24975D4BA5B16804296739436654B001@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436654B001@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="------------060406020309070103080104"
X-Originating-IP: [129.83.31.51]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 18:16:24 -0000

Why not percent encoding for just colon and percent?

  -- Justin

On 06/15/2012 01:30 PM, Mike Jones wrote:
>
> I was asked a question off-list, which I think is worth answering 
> on-line.  The question was:  Why the Tab character, rather than 
> %-encoding?
>
> Introducing % encoding would break all existing OAuth 2.0 deployments 
> using HTTP Basic.  A non-starter...
>
> Tab is legal in HTTP Basic but not in URLs or presently client_ids.  
> It's also a character that can be visibly rendered in an acceptable 
> manner for debugging.  The other choices were CR and LF, which are 
> also legal in HTTP Basic but wouldn't render very nicely. ;-)
>
>                                                             Cheers,
>
>                                                             -- Mike
>
> *From:*Mike Jones
> *Sent:* Friday, June 15, 2012 9:30 AM
> *To:* 'Eran Hammer'
> *Cc:* George Fletcher; oauth@ietf.org
> *Subject:* RE: [OAUTH-WG] Dynamic clients, URI, and stuff Re: 
> Discussion needed on username and password ABNF definitions
>
> I agree with Eran that I prefer that this not be underspecified and 
> that an encoding for just colon for just Basic will suffice.
>
> I'd suggested the encoding s/:/<tab>/g as a strawman.  Are there any 
> other encoding proposals?
>
>                                                             -- Mike
>
> *From:*Eran Hammer [mailto:eran@hueniverse.com] 
> <mailto:[mailto:eran@hueniverse.com]>
> *Sent:* Friday, June 15, 2012 9:26 AM
> *To:* Mike Jones
> *Cc:* George Fletcher; oauth@ietf.org <mailto:oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: 
> Discussion needed on username and password ABNF definitions
>
> We should not leave this under specified. Picking an encoding for just 
> Basic and just colon is simple enough.
>
> EH
>
> On Jun 15, 2012, at 19:17, "Mike Jones" <Michael.Jones@microsoft.com 
> <mailto:Michael.Jones@microsoft.com>> wrote:
>
>     Based on use cases I'm seeing, believe it's important to allow the
>     use of URIs as client_id values (which means allowing ":" in the
>     client_id string).  I'm OK with us either specifying a specific
>     encoding when using them in Basic or simply saying that "When
>     client_ids are used with HTTP Basic that contain characters such
>     as ":" not allowed in HTTP Basic usernames, then the participants
>     will need to agree upon a method of encoding the client_id for use
>     with HTTP Basic.
>
>                                                                 -- Mike
>
>     *From:*oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>
>     [mailto:oauth-bounces@ietf.org]
>     <mailto:[mailto:oauth-bounces@ietf.org]> *On Behalf Of *George
>     Fletcher
>     *Sent:* Friday, June 15, 2012 8:48 AM
>     *To:* oauth@ietf.org <mailto:oauth@ietf.org>
>     *Subject:* Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re:
>     Discussion needed on username and password ABNF definitions
>
>     +1 for a simple encoding and allowing ':' in the client_id
>
>     On 6/13/12 6:53 PM, Amos Jeffries wrote:
>
>     On 14.06.2012 06:40, John Bradley wrote:
>
>     That would probably work as well.  That is why I am not particularly
>     concerned about excluding the :
>
>     We originally used the URI itself,  mostly for convenience of
>     debugging,  but there are other potential options.
>
>     The authorization server needs to compare the client_id and the
>     redirect uri. But it could compare the hash with not much more work.
>     Also a sha256 hash is probably longer than the uri it is hashing.
>
>     I am not super concerned with being able to have : in the client_id
>
>     John B.
>
>
>
>     If I'm following all these threads correctly the only explicit
>     problem with URI in client_id is HTTP username field being :
>     terminated.
>     As such it does not have to be a hash per-se, just an encoding
>     that removes ":" and other reserved characters from the on-wire
>     form *when sent via HTTP*.
>
>     AYJ
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email