IETF Logo Mail Archive

Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer

Paul Madsen <paul.madsen@gmail.com> Wed, 07 March 2012 21:34 UTC

Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC0E11E80A1 for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 13:34:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxZ2SfWVtgZM for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 13:34:08 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5ED0011E80AE for <oauth@ietf.org>; Wed, 7 Mar 2012 13:34:08 -0800 (PST)
Received: by ghbg16 with SMTP id g16so3614174ghb.31 for <oauth@ietf.org>; Wed, 07 Mar 2012 13:34:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=vbEH8QnTqj3ytj/JAdnmUg7FDhdEqO/OwUMiaGJ43QI=; b=mtvMNG352quuTQjKgqbiSyu8ju17m2FFvNBLyIutqBBcuI+BTHuXaEZXjRSdQNf3R4 c/7Ug6geWWVIPtyWI8hDzdAR3dvttqkmImhEtbjmAvszy6DTlO2ji8AbzetLuhd7f8Oh kApK9f0KzjnjTZG6ZRyb5VLmIflH74Opl/T2u3imMBSQo0V4crRWS0h70L+eIs4bPK1e cF+vRNJeaiiA3kzUqfQ8Opiyxo9gXyizCA55UXsvZjY+1ulJfJA+gkjAM8MQ20Ct04n6 5zI274Vl6MlziXcuNGHjHsJGA5x1hLhIhonNVEtHQ+l7z6gJBZM/+tAENsf32a8Xl1Da 6Hjg==
Received: by 10.236.185.4 with SMTP id t4mr7297174yhm.129.1331156047933; Wed, 07 Mar 2012 13:34:07 -0800 (PST)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.162.33]) by mx.google.com with ESMTPS id q14sm38874681anj.9.2012.03.07.13.34.05 (version=SSLv3 cipher=OTHER); Wed, 07 Mar 2012 13:34:06 -0800 (PST)
Message-ID: <4F57D44E.4030904@gmail.com>
Date: Wed, 07 Mar 2012 16:34:06 -0500
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCTTsqJZ7XzjA1qgxEJcyU0uio5EN2=yvs+h6ja1JEymiQ@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E114EDF66EE8@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B1680429673943663DB078@TK5EX14MBXC283.redmond.corp.microsoft.com> <CA+k3eCS71Lhfffu-D_mZ=emk_rR7FASdSjpu+j1KnJWytSEXLw@mail.gmail.com> <1331059528.92345.YahooMailNeo@web31806.mail.mud.yahoo.com> <CA+k3eCQ-PJvOYMB-fg6PtShy2=Wiit01bFvEVE-1_VpEABg5Eg@mail.gmail.com> <4F57B04A.9070509@mitre.org> <CA+k3eCTJWb2A0_yHdu7JqA5Ag07fLcLGo3jU3y6ucgdjQ6WV0A@mail.gmail.com>
In-Reply-To: <CA+k3eCTJWb2A0_yHdu7JqA5Ag07fLcLGo3jU3y6ucgdjQ6WV0A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------060705090403070301060908"
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2012 21:34:10 -0000

+1

On 3/7/12 4:08 PM, Brian Campbell wrote:
> Yeah, it is case insensitive. I just went with the upper case B
> because that's how it was written in §5.1.1 of
> draft-ietf-oauth-v2-bearer-17* which is where I guess it's actually
> defined. But I see draft-ietf-oauth-v2-23 uses a lower case b**.
> Either one would be fine.
>
> I agree that an example response from the token endpoint would be
> worthwhile.  Something like the following might help tie together with
> the Authorization header example (proposed earlier). It could maybe be
> worked in near the top of §2?
>
>       HTTP/1.1 200 OK
>       Content-Type: application/json;charset=UTF-8
>       Cache-Control: no-store
>       Pragma: no-cache
>
>       {
>         "access_token":"vF_9.5dCf-t4.qbcmT_k1b",
>         "token_type":"example",
>         "expires_in":3600,
>         "refresh_token":"stGzv3xOdkF0X35Qp2TlKWIA",
>       }
>
> It'd probably make sense to change the examples in the body §2.2***
> and query §2.3**** to use the same access token value too.
>
>
> * http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-5.1.1
> ** http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-7.1
> *** http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.2
> **** http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.3
>
>
> On Wed, Mar 7, 2012 at 12:00 PM, Justin Richer<jricher@mitre.org>  wrote:
>> Makes sense to me, except that I think the token_type value is typically
>> lowercase "bearer", though it's defined to be case insensitive in
>> Oauth-v2-23 section 5.1. Come to think of it, I'm not sure that the value of
>> this field for the Bearer token type ever got defined anywhere. Section 7.1
>> references the bearer spec as defining the value of the "token_type"
>> parameter, and passes its example as if by reference. Would be worthwhile
>> giving an example of a token endpoint response, such as what's found in
>> OAuth-v2-23 section 5.1.
>>
>>   -- Justin
>>
>>
>> On 03/07/2012 12:16 PM, Brian Campbell wrote:
>>> I'd like to propose the following changes and additions, derived
>>> largely from Bill and James suggestions, to
>>> draft-ietf-oauth-v2-bearer-17.  These changes have no normative impact
>>> and only aim to add additional clarity and explanation the workings
>>> and implications of the current spec.  I'm definitely open to changes
>>> or improvements in the wording here (not my strong suit by any means)
>>> but I think it's important that these general ideas be conveyed in the
>>> draft.
>>>
>>>
>>> ==>    Insert the following text at the beginning of §2:
>>>
>>> To make a protected resource request, the client must be in possession
>>> of a valid bearer token. Typically a bearer token is returned to the
>>> client as part of an access token response as defined in OAuth 2.0
>>> [I-D.ietf-oauth-v2]. When the "token_type" parameter of the access
>>> token response is "Bearer", the string value of the "access_token"
>>> parameter becomes the bearer access token used to make protected
>>> resource requests.
>>>
>>> ==>    Change the value of the token in the Authorization header example to
>>> this:
>>>
>>> Authorization: Bearer vF_9.5dCf-t4.qbcmT_k1b
>>>
>>> ==>    Insert the following text before the last paragraph of §2.1:
>>>
>>> Note that the name b64token does not imply base64 encoding but rather
>>> is the name for an ABNF syntax definition from HTTP/1.1, Part 7
>>> [I-D.ietf-httpbis-p7-auth]. Because of its use, the "access_token"
>>> string value from an access token response MUST match the b64token
>>> ABNF so it can be used with the Bearer HTTP scheme.
>>>
>>>
>>> Thanks,
>>> Brian
>>>
>>>
>>>
>>>
>>> On Tue, Mar 6, 2012 at 11:45 AM, William Mills<wmills@yahoo-inc.com>
>>>   wrote:
>>>> Yeah, something as simple as, "Note that the name 'b64token' does not
>>>> imply
>>>> base64 encoding, see the definition in [[INSERT REFERENCE HERE]]." would
>>>> do
>>>> it.
>>>>
>>>> -bill
>>>>
>>>> ________________________________
>>>> From: Brian Campbell<bcampbell@pingidentity.com>
>>>> To: Mike Jones<Michael.Jones@microsoft.com>
>>>> Cc: oauth<oauth@ietf.org>
>>>> Sent: Tuesday, March 6, 2012 8:23 AM
>>>>
>>>> Subject: Re: [OAUTH-WG] question about the b64token syntax in
>>>> draft-ietf-oauth-v2-bearer
>>>>
>>>> Thanks Mike, I think changing the example would be helpful.
>>>>
>>>> However I think that including some text along the lines of what James
>>>> suggested would also be very valuable. I agree that the connection
>>>> between OAuth and Bearer could and should be made more explicit. And
>>>> that the implications of the b64token syntax, particularly on what AS
>>>> can use to construct ATs, could/should be made more clear.
>>>>
>>>> I can propose some specific text (building on James') if others in the WG
>>>> agree?
>>>>
>>>>
>>>> On Mon, Mar 5, 2012 at 5:32 PM, Mike Jones<Michael.Jones@microsoft.com>
>>>> wrote:
>>>>> I'm fine with changing the example to make it clearer that b64token
>>>>> allows
>>>>> a wider range of characters than just those legal for base64 and
>>>>> base64url
>>>>> encodings of data values.
>>>>>
>>>>> I'll add it to my to-do list for any additional edits for the Bearer
>>>>> spec.
>>>>>
>>>>>                                 -- Mike
>>>>>
>>>>> -----Original Message-----
>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>>>>> Of
>>>>> Manger, James H
>>>>> Sent: Monday, March 05, 2012 3:33 PM
>>>>> To: Brian Campbell; oauth
>>>>> Subject: Re: [OAUTH-WG] question about the b64token syntax in
>>>>> draft-ietf-oauth-v2-bearer
>>>>>
>>>>> Brian,
>>>>>
>>>>>> On casual reading of "The OAuth 2.0 Authorization Protocol: Bearer
>>>>>> Tokens"* I've encountered several people (including myself) who have
>>>>>> made the assumption that the name b64token implies that some kind of
>>>>>> base64 encoding/decoding on the access token is taking place between
>>>>>> the client and RS.
>>>>>>
>>>>>> Digging a bit deeper in to "HTTP/1.1, part 7: Authentication"**,
>>>>>> however, I see that b64token is just an ABNF syntax definition
>>>>>> allowing for characters typically used in base64, base64url, etc.. So
>>>>>> the b64token doesn't define any encoding or decoding but rather just
>>>>>> defines what characters can be used in the part of the Authorization
>>>>>> header that will contain the access token.
>>>>>>
>>>>>> Do I read this correctly?
>>>>> Yes.
>>>>>
>>>>>> If so, I feel like some additional clarifying text in the Bearer
>>>>>> Tokens draft might help avoid what is (based on my small sample) a
>>>>>> common point of misunderstanding.
>>>>> Changing the example bearer token should be a simple way to avoid some
>>>>> confusion by showing that it does not have to be base64 encoding. How
>>>>> about
>>>>> changing:
>>>>>   Authorization: Bearer vF9dft4qmT
>>>>> to
>>>>>   Authorization: Bearer vF9.dft4.qmT
>>>>>
>>>>> The Bearer spec has lots of (unnecessary) text about OAuth, but doesn't
>>>>> quite manage to be precise about how OAuth and Bearer connect. It could
>>>>> explicitly state that the string value of the "access_token" member of
>>>>> an
>>>>> access token response is the bearer token. The "access_token" string
>>>>> value
>>>>> (after unescaping any JSON-escapes) MUST match the b64token ABNF so it
>>>>> can
>>>>> be used with the Bearer HTTP scheme. Such text could be put in §5.1.1
>>>>> where
>>>>> the "Bearer" OAuth access token type is defined.
>>>>>
>>>>>
>>>>>> Also, does the use of b64token implicitly limit the allowed characters
>>>>>> that an AS can use to construct a bearer access token?
>>>>> Yes.
>>>>>
>>>>>
>>>>>> * http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.1
>>>>>> **
>>>>>> http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-18#section-2.1
>>>>> --
>>>>> James Manger
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email