Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer
Paul Madsen <paul.madsen@gmail.com> Wed, 07 March 2012 21:34 UTC
Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC0E11E80A1 for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 13:34:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxZ2SfWVtgZM for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 13:34:08 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5ED0011E80AE for <oauth@ietf.org>; Wed, 7 Mar 2012 13:34:08 -0800 (PST)
Received: by ghbg16 with SMTP id g16so3614174ghb.31 for <oauth@ietf.org>; Wed, 07 Mar 2012 13:34:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=vbEH8QnTqj3ytj/JAdnmUg7FDhdEqO/OwUMiaGJ43QI=; b=mtvMNG352quuTQjKgqbiSyu8ju17m2FFvNBLyIutqBBcuI+BTHuXaEZXjRSdQNf3R4 c/7Ug6geWWVIPtyWI8hDzdAR3dvttqkmImhEtbjmAvszy6DTlO2ji8AbzetLuhd7f8Oh kApK9f0KzjnjTZG6ZRyb5VLmIflH74Opl/T2u3imMBSQo0V4crRWS0h70L+eIs4bPK1e cF+vRNJeaiiA3kzUqfQ8Opiyxo9gXyizCA55UXsvZjY+1ulJfJA+gkjAM8MQ20Ct04n6 5zI274Vl6MlziXcuNGHjHsJGA5x1hLhIhonNVEtHQ+l7z6gJBZM/+tAENsf32a8Xl1Da 6Hjg==
Received: by 10.236.185.4 with SMTP id t4mr7297174yhm.129.1331156047933; Wed, 07 Mar 2012 13:34:07 -0800 (PST)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.162.33]) by mx.google.com with ESMTPS id q14sm38874681anj.9.2012.03.07.13.34.05 (version=SSLv3 cipher=OTHER); Wed, 07 Mar 2012 13:34:06 -0800 (PST)
Message-ID: <4F57D44E.4030904@gmail.com>
Date: Wed, 07 Mar 2012 16:34:06 -0500
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCTTsqJZ7XzjA1qgxEJcyU0uio5EN2=yvs+h6ja1JEymiQ@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E114EDF66EE8@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B1680429673943663DB078@TK5EX14MBXC283.redmond.corp.microsoft.com> <CA+k3eCS71Lhfffu-D_mZ=emk_rR7FASdSjpu+j1KnJWytSEXLw@mail.gmail.com> <1331059528.92345.YahooMailNeo@web31806.mail.mud.yahoo.com> <CA+k3eCQ-PJvOYMB-fg6PtShy2=Wiit01bFvEVE-1_VpEABg5Eg@mail.gmail.com> <4F57B04A.9070509@mitre.org> <CA+k3eCTJWb2A0_yHdu7JqA5Ag07fLcLGo3jU3y6ucgdjQ6WV0A@mail.gmail.com>
In-Reply-To: <CA+k3eCTJWb2A0_yHdu7JqA5Ag07fLcLGo3jU3y6ucgdjQ6WV0A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------060705090403070301060908"
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2012 21:34:10 -0000
+1 On 3/7/12 4:08 PM, Brian Campbell wrote: > Yeah, it is case insensitive. I just went with the upper case B > because that's how it was written in §5.1.1 of > draft-ietf-oauth-v2-bearer-17* which is where I guess it's actually > defined. But I see draft-ietf-oauth-v2-23 uses a lower case b**. > Either one would be fine. > > I agree that an example response from the token endpoint would be > worthwhile. Something like the following might help tie together with > the Authorization header example (proposed earlier). It could maybe be > worked in near the top of §2? > > HTTP/1.1 200 OK > Content-Type: application/json;charset=UTF-8 > Cache-Control: no-store > Pragma: no-cache > > { > "access_token":"vF_9.5dCf-t4.qbcmT_k1b", > "token_type":"example", > "expires_in":3600, > "refresh_token":"stGzv3xOdkF0X35Qp2TlKWIA", > } > > It'd probably make sense to change the examples in the body §2.2*** > and query §2.3**** to use the same access token value too. > > > * http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-5.1.1 > ** http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-7.1 > *** http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.2 > **** http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.3 > > > On Wed, Mar 7, 2012 at 12:00 PM, Justin Richer<jricher@mitre.org> wrote: >> Makes sense to me, except that I think the token_type value is typically >> lowercase "bearer", though it's defined to be case insensitive in >> Oauth-v2-23 section 5.1. Come to think of it, I'm not sure that the value of >> this field for the Bearer token type ever got defined anywhere. Section 7.1 >> references the bearer spec as defining the value of the "token_type" >> parameter, and passes its example as if by reference. Would be worthwhile >> giving an example of a token endpoint response, such as what's found in >> OAuth-v2-23 section 5.1. >> >> -- Justin >> >> >> On 03/07/2012 12:16 PM, Brian Campbell wrote: >>> I'd like to propose the following changes and additions, derived >>> largely from Bill and James suggestions, to >>> draft-ietf-oauth-v2-bearer-17. These changes have no normative impact >>> and only aim to add additional clarity and explanation the workings >>> and implications of the current spec. I'm definitely open to changes >>> or improvements in the wording here (not my strong suit by any means) >>> but I think it's important that these general ideas be conveyed in the >>> draft. >>> >>> >>> ==> Insert the following text at the beginning of §2: >>> >>> To make a protected resource request, the client must be in possession >>> of a valid bearer token. Typically a bearer token is returned to the >>> client as part of an access token response as defined in OAuth 2.0 >>> [I-D.ietf-oauth-v2]. When the "token_type" parameter of the access >>> token response is "Bearer", the string value of the "access_token" >>> parameter becomes the bearer access token used to make protected >>> resource requests. >>> >>> ==> Change the value of the token in the Authorization header example to >>> this: >>> >>> Authorization: Bearer vF_9.5dCf-t4.qbcmT_k1b >>> >>> ==> Insert the following text before the last paragraph of §2.1: >>> >>> Note that the name b64token does not imply base64 encoding but rather >>> is the name for an ABNF syntax definition from HTTP/1.1, Part 7 >>> [I-D.ietf-httpbis-p7-auth]. Because of its use, the "access_token" >>> string value from an access token response MUST match the b64token >>> ABNF so it can be used with the Bearer HTTP scheme. >>> >>> >>> Thanks, >>> Brian >>> >>> >>> >>> >>> On Tue, Mar 6, 2012 at 11:45 AM, William Mills<wmills@yahoo-inc.com> >>> wrote: >>>> Yeah, something as simple as, "Note that the name 'b64token' does not >>>> imply >>>> base64 encoding, see the definition in [[INSERT REFERENCE HERE]]." would >>>> do >>>> it. >>>> >>>> -bill >>>> >>>> ________________________________ >>>> From: Brian Campbell<bcampbell@pingidentity.com> >>>> To: Mike Jones<Michael.Jones@microsoft.com> >>>> Cc: oauth<oauth@ietf.org> >>>> Sent: Tuesday, March 6, 2012 8:23 AM >>>> >>>> Subject: Re: [OAUTH-WG] question about the b64token syntax in >>>> draft-ietf-oauth-v2-bearer >>>> >>>> Thanks Mike, I think changing the example would be helpful. >>>> >>>> However I think that including some text along the lines of what James >>>> suggested would also be very valuable. I agree that the connection >>>> between OAuth and Bearer could and should be made more explicit. And >>>> that the implications of the b64token syntax, particularly on what AS >>>> can use to construct ATs, could/should be made more clear. >>>> >>>> I can propose some specific text (building on James') if others in the WG >>>> agree? >>>> >>>> >>>> On Mon, Mar 5, 2012 at 5:32 PM, Mike Jones<Michael.Jones@microsoft.com> >>>> wrote: >>>>> I'm fine with changing the example to make it clearer that b64token >>>>> allows >>>>> a wider range of characters than just those legal for base64 and >>>>> base64url >>>>> encodings of data values. >>>>> >>>>> I'll add it to my to-do list for any additional edits for the Bearer >>>>> spec. >>>>> >>>>> -- Mike >>>>> >>>>> -----Original Message----- >>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >>>>> Of >>>>> Manger, James H >>>>> Sent: Monday, March 05, 2012 3:33 PM >>>>> To: Brian Campbell; oauth >>>>> Subject: Re: [OAUTH-WG] question about the b64token syntax in >>>>> draft-ietf-oauth-v2-bearer >>>>> >>>>> Brian, >>>>> >>>>>> On casual reading of "The OAuth 2.0 Authorization Protocol: Bearer >>>>>> Tokens"* I've encountered several people (including myself) who have >>>>>> made the assumption that the name b64token implies that some kind of >>>>>> base64 encoding/decoding on the access token is taking place between >>>>>> the client and RS. >>>>>> >>>>>> Digging a bit deeper in to "HTTP/1.1, part 7: Authentication"**, >>>>>> however, I see that b64token is just an ABNF syntax definition >>>>>> allowing for characters typically used in base64, base64url, etc.. So >>>>>> the b64token doesn't define any encoding or decoding but rather just >>>>>> defines what characters can be used in the part of the Authorization >>>>>> header that will contain the access token. >>>>>> >>>>>> Do I read this correctly? >>>>> Yes. >>>>> >>>>>> If so, I feel like some additional clarifying text in the Bearer >>>>>> Tokens draft might help avoid what is (based on my small sample) a >>>>>> common point of misunderstanding. >>>>> Changing the example bearer token should be a simple way to avoid some >>>>> confusion by showing that it does not have to be base64 encoding. How >>>>> about >>>>> changing: >>>>> Authorization: Bearer vF9dft4qmT >>>>> to >>>>> Authorization: Bearer vF9.dft4.qmT >>>>> >>>>> The Bearer spec has lots of (unnecessary) text about OAuth, but doesn't >>>>> quite manage to be precise about how OAuth and Bearer connect. It could >>>>> explicitly state that the string value of the "access_token" member of >>>>> an >>>>> access token response is the bearer token. The "access_token" string >>>>> value >>>>> (after unescaping any JSON-escapes) MUST match the b64token ABNF so it >>>>> can >>>>> be used with the Bearer HTTP scheme. Such text could be put in §5.1.1 >>>>> where >>>>> the "Bearer" OAuth access token type is defined. >>>>> >>>>> >>>>>> Also, does the use of b64token implicitly limit the allowed characters >>>>>> that an AS can use to construct a bearer access token? >>>>> Yes. >>>>> >>>>> >>>>>> * http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.1 >>>>>> ** >>>>>> http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-18#section-2.1 >>>>> -- >>>>> James Manger >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] question about the b64token syntax in … Brian Campbell
- Re: [OAUTH-WG] question about the b64token syntax… Manger, James H
- Re: [OAUTH-WG] question about the b64token syntax… Mike Jones
- Re: [OAUTH-WG] question about the b64token syntax… Brian Campbell
- Re: [OAUTH-WG] question about the b64token syntax… Paul Madsen
- Re: [OAUTH-WG] question about the b64token syntax… Justin Richer
- Re: [OAUTH-WG] question about the b64token syntax… William Mills
- Re: [OAUTH-WG] question about the b64token syntax… Brian Campbell
- Re: [OAUTH-WG] question about the b64token syntax… William Mills
- Re: [OAUTH-WG] question about the b64token syntax… Justin Richer
- Re: [OAUTH-WG] question about the b64token syntax… Brian Campbell
- Re: [OAUTH-WG] question about the b64token syntax… Paul Madsen
- Re: [OAUTH-WG] question about the b64token syntax… Mike Jones
- Re: [OAUTH-WG] question about the b64token syntax… Manger, James H
- Re: [OAUTH-WG] question about the b64token syntax… Paul Madsen
- Re: [OAUTH-WG] question about the b64token syntax… John Bradley
- Re: [OAUTH-WG] question about the b64token syntax… Brian Campbell
- Re: [OAUTH-WG] question about the b64token syntax… Richer, Justin P.
- Re: [OAUTH-WG] question about the b64token syntax… George Fletcher