Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
Mike Jones <Michael.Jones@microsoft.com> Fri, 15 June 2012 16:30 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 122E821F850F for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 09:30:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.714
X-Spam-Level:
X-Spam-Status: No, score=-3.714 tagged_above=-999 required=5 tests=[AWL=-0.116, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rnyu1VmrlESy for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 09:30:14 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe004.messaging.microsoft.com [213.199.154.207]) by ietfa.amsl.com (Postfix) with ESMTP id 2801821F85A0 for <oauth@ietf.org>; Fri, 15 Jun 2012 09:30:14 -0700 (PDT)
Received: from mail21-am1-R.bigfish.com (10.3.201.242) by AM1EHSOBE002.bigfish.com (10.3.204.22) with Microsoft SMTP Server id 14.1.225.23; Fri, 15 Jun 2012 16:29:03 +0000
Received: from mail21-am1 (localhost [127.0.0.1]) by mail21-am1-R.bigfish.com (Postfix) with ESMTP id 8406338050A; Fri, 15 Jun 2012 16:29:02 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC101.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -23
X-BigFish: VS-23(zzbb2dI98dI9371Ic85fhzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839hd25hf0ah)
Received-SPF: pass (mail21-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC101.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail21-am1 (localhost.localdomain [127.0.0.1]) by mail21-am1 (MessageSwitch) id 1339777739613529_32726; Fri, 15 Jun 2012 16:28:59 +0000 (UTC)
Received: from AM1EHSMHS010.bigfish.com (unknown [10.3.201.253]) by mail21-am1.bigfish.com (Postfix) with ESMTP id 9411A10004B; Fri, 15 Jun 2012 16:28:59 +0000 (UTC)
Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS010.bigfish.com (10.3.207.110) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 15 Jun 2012 16:28:57 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.53]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.178]) with mapi id 14.02.0298.005; Fri, 15 Jun 2012 16:29:40 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eran Hammer <eran@hueniverse.com>
Thread-Topic: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
Thread-Index: AQHNSw5aQ+07XirTWkeEJ2jRd0gB45b7jZDwgAADgx2AAAA4oA==
Date: Fri, 15 Jun 2012 16:29:40 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436654ACC2@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <9dbeab60-8fe4-4828-9c52-d7af95378f4c@email.android.com> <0ec59f35-4a66-4719-adf3-114dab0d1d48@email.android.com> <40240328-0247-4278-BB7B-BE89AE130076@ve7jtb.com> <a55ad34e52e0f9755e548106d27c4b8c@treenet.co.nz> <4FDB593B.4080508@aol.com>, <4E1F6AAD24975D4BA5B16804296739436654ABB1@TK5EX14MBXC283.redmond.corp.microsoft.com> <DDC84727-1B5F-48AD-AC3F-DB9700838955@hueniverse.com>
In-Reply-To: <DDC84727-1B5F-48AD-AC3F-DB9700838955@hueniverse.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436654ACC2TK5EX14MBXC283r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 16:30:17 -0000
I agree with Eran that I prefer that this not be underspecified and that an encoding for just colon for just Basic will suffice. I'd suggested the encoding s/:/<tab>/g as a strawman. Are there any other encoding proposals? -- Mike From: Eran Hammer [mailto:eran@hueniverse.com] Sent: Friday, June 15, 2012 9:26 AM To: Mike Jones Cc: George Fletcher; oauth@ietf.org Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions We should not leave this under specified. Picking an encoding for just Basic and just colon is simple enough. EH On Jun 15, 2012, at 19:17, "Mike Jones" <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote: Based on use cases I'm seeing, believe it's important to allow the use of URIs as client_id values (which means allowing ":" in the client_id string). I'm OK with us either specifying a specific encoding when using them in Basic or simply saying that "When client_ids are used with HTTP Basic that contain characters such as ":" not allowed in HTTP Basic usernames, then the participants will need to agree upon a method of encoding the client_id for use with HTTP Basic. -- Mike From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org]<mailto:[mailto:oauth-bounces@ietf.org]> On Behalf Of George Fletcher Sent: Friday, June 15, 2012 8:48 AM To: oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions +1 for a simple encoding and allowing ':' in the client_id On 6/13/12 6:53 PM, Amos Jeffries wrote: On 14.06.2012 06:40, John Bradley wrote: That would probably work as well. That is why I am not particularly concerned about excluding the : We originally used the URI itself, mostly for convenience of debugging, but there are other potential options. The authorization server needs to compare the client_id and the redirect uri. But it could compare the hash with not much more work. Also a sha256 hash is probably longer than the uri it is hashing. I am not super concerned with being able to have : in the client_id John B. If I'm following all these threads correctly the only explicit problem with URI in client_id is HTTP username field being : terminated. As such it does not have to be a hash per-se, just an encoding that removes ":" and other reserved characters from the on-wire form *when sent via HTTP*. AYJ _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… John Bradley
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… John Bradley
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Amos Jeffries
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Jianhua Shao
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Eran Hammer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… George Fletcher
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Brian Campbell
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Eran Hammer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer