Re: [OAUTH-WG] Understanding the reasoning for Base64
Evan Gilbert <uidude@google.com> Wed, 07 July 2010 04:17 UTC
Return-Path: <uidude@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 831E43A6970 for <oauth@core3.amsl.com>; Tue, 6 Jul 2010 21:17:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.376
X-Spam-Level:
X-Spam-Status: No, score=-103.376 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g3olJ7RjsWAh for <oauth@core3.amsl.com>; Tue, 6 Jul 2010 21:17:44 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 635F03A696F for <oauth@ietf.org>; Tue, 6 Jul 2010 21:17:44 -0700 (PDT)
Received: from kpbe14.cbf.corp.google.com (kpbe14.cbf.corp.google.com [172.25.105.78]) by smtp-out.google.com with ESMTP id o674HkTJ021254 for <oauth@ietf.org>; Tue, 6 Jul 2010 21:17:46 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1278476266; bh=w7mNdFtCw8OLPLiWOmeSf/HUUAs=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=euYclGrUWPHxs5Z+DQEvZAvwsy0C2lHNJtJh/ac0EoHaHehlD45gZ0iz1izcolh03 sLJH9i70epndcAuNbF71w==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=mibs/5C6h9K/KiTHT9dQuS9lJ+9Ne9AVfeV55E9OP0uV8wmmIZsEnmpEbfWf63Lzm tPCDeZpFpkcr8NNBWvtYw==
Received: from qyk30 (qyk30.prod.google.com [10.241.83.158]) by kpbe14.cbf.corp.google.com with ESMTP id o674HiOv015380 for <oauth@ietf.org>; Tue, 6 Jul 2010 21:17:45 -0700
Received: by qyk30 with SMTP id 30so2647808qyk.6 for <oauth@ietf.org>; Tue, 06 Jul 2010 21:17:44 -0700 (PDT)
Received: by 10.224.44.65 with SMTP id z1mr2809603qae.114.1278476264394; Tue, 06 Jul 2010 21:17:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.78.211 with HTTP; Tue, 6 Jul 2010 21:17:24 -0700 (PDT)
In-Reply-To: <095B9543-1F20-4DA5-A8EB-48F86CDED9A6@gmail.com>
References: <AANLkTimMruKyblUWROkPMDapFKtTztOXqL64PpQxCmKO@mail.gmail.com> <2625894F-2979-40BD-81E1-05A6EB8723CD@facebook.com> <AANLkTinvLOV0f3I-aWpeAbfIpfGyxZSB2RHu52iw5mDC@mail.gmail.com> <AANLkTilWNneonIRX21U1RZcE80FuVSJWXU7CNm5pV275@mail.gmail.com> <AANLkTin-7PNLv-Hc229JJcOrIBh4fJqY5CMaLCMbmoIk@mail.gmail.com> <AANLkTikh_nQ8dXSp7QXJ79kCdbX1zeyPKAl_kgplb25x@mail.gmail.com> <3DC7AEF8-3283-4970-BB98-3D680A3E2429@gmail.com> <AANLkTimpvWCbCBEWdI1Id5Ig_xCUW2hvKDro5LyhufMV@mail.gmail.com> <FE47FED0-3850-4393-9C79-DE06F0F7B6CA@gmail.com> <BA564125-9FBB-4B1A-93AC-7DD1A754A5E1@facebook.com> <C66A9854-02EB-4CCE-8338-382AEEC7EA61@gmail.com> <AANLkTikiXVruhZSH3Q6rMhdZAHRBPkhE_JVhSNOhCXmN@mail.gmail.com> <6B008ED4-4536-4A95-89B6-917696E6AF79@gmail.com> <AANLkTilTxGBYt2RFrEOqaYoLCV1TQOtonBh5dxL5PQCd@mail.gmail.com> <095B9543-1F20-4DA5-A8EB-48F86CDED9A6@gmail.com>
From: Evan Gilbert <uidude@google.com>
Date: Tue, 06 Jul 2010 21:17:24 -0700
Message-ID: <AANLkTimdWTqFd8UmcnYtYPZ3Dqzsffgn1HHwxPpnHcWY@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="00c09f97212f97d48d048ac473f9"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Understanding the reasoning for Base64
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2010 04:17:49 -0000
Hi all - having a little bit of a hard time following the full thread, but
I'm strongly in favor of base64url encoding.
A big advantage of this encoding is that, if token is base64url encoded,
then urlencode(token) == token.
This allows developers to avoid a large class of problems in dealing with
URL encoding / decoding issues - it is very easy to accidentally double
encode / decode values, and also easy to get tripped up on the different
encoding rules in different parts of a URL. For example, different
characters are OK before and after the hash, and not all browsers decode the
hash the same way.
Also being able to copy a value from a URL and use it directly in a tool or
Authorization header is invaluable for debugging.
Per notes above, the transformation is very straightforward.
Evan
On Sat, Jul 3, 2010 at 12:45 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> On 2010-07-03, at 12:14 PM, Naitik Shah wrote:
>
> On Sat, Jul 3, 2010 at 9:42 AM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
>>
>> On 2010-07-03, at 9:13 AM, Naitik Shah wrote:
>>
>> > I think Naitik is saying that accidentally doing base64 and not
>>> base64url will send some '+'s along.
>>>
>>> if there are '+'s in the token, then it is easy for someone helping to
>>> spot the problem. also easy for servers to send back an error message
>>> saying, "hey, looks like you are using base64 instead of base64url encoding"
>>>
>>> ie, it is easy to detect the error -- urlencoding / decoding is hard to
>>> detect as an error
>>>
>>
>> The pluses are not guaranteed. They may or may not be there depending on
>> the data stream you're encoding. If you don't urlencode the JSON, you'll get
>> a "{", if you do it once, you'll get a "%7B", if you do it twice, you'll get
>> a "%257B" -- seems easier to detect.
>>
>>
>> Your earlier point was that developers may incorrectly use base64 instead
>> of base64url. If they used base64, and if there is a + / = or % in the
>> string, the server can send a useful note saying what is wrong. There may
>> not be one of those characters depending on the input string, but if there
>> is, then the server can suggest what the error might be using base64 instead
>> of base64url. If the token contains ANY character that is not in base64url,
>> then the server can say that it is not base64url encoded.
>>
>> That seems pretty fool proof to detect. Note that you should never get any
>> %7B or other encoding in the token as it is url safe.
>>
>
> The thing I was trying to say was that it's less predictable. That it might
> work just fine when you're experimenting with the API because at that point
> your token did not contain any pluses, but then suddenly started failing
> after you sent a link to your app to someone because their encoded token
> contains a plus. This hit-or-miss to me is worse than being able to tell by
> looking at the first few characters of the urlencoded JSON blob which will
> give a definitive answer as to how many times the token has been urlencoded.
>
>
> I understand your point. I still think base64url encoding makes it really
> clear that it is encoded (nothing is legible anymore), allows there to be
> one encoding format for all data, makes it easy to support encryption.
>
>
>
>
>
>>
>>> When I wrote a sample in Perl, it was pretty easy to make it base64url
>>> which then provides a consistent encoding.
>>>
>>
>> Did it involve a string replace call? Or a third party library?
>>
>>
>> I used a standard CPAN library.
>>
>>
> Exactly :) I'm imagining our documentation where we want to be library
> agnostic, and have almost psuedo code like code snippets. I said this
> earlier -- while base64 may be common in standard libraries built into
> languages, the base64url version isn't. In order to not have a "cpan install
> base64url" (and gem install, easy_install, mvn install..) -- we'ed most
> likely document a str_replace() call in addition to a base64 call. And I'm
> worried that developers will miss this detail.
>
>
> Likely they will install an OAuth library that will deal with it if they
> are going to have to sign rather than using a bearer token (I believe most
> people will use a bearer token if they can -- soooo much easier!)
>
> Besides base64url, there is HMAC256 and JSON -- not all of which are built
> in -- but are becoming more built in as time goes on, and if OAuth signing
> uses base64url, I would expect these will all be part of standard
> distributions in the future ...
>
> (... in case you are unfamiliar with my backgroud, I have delivered Perl,
> Python and Tcl distributions in the past -- what goes into a packages is
> what is heavily used or what we thought was a good thing to promote -- and
> assuming that making base64url more available is a good thing, than using
> it in OAuth is a good thing to do. :)
>
>
>
>
>>
>>
>>
>>
>>> >
>>> >> I am unclear on what your point is.
>>> >>
>>> >> The token would be included as one of the headers. This is often
>>> preferable as it separates the authorization layer (in header) from
>>> application layer parameters (query string or message body)
>>> >
>>> > With our proposal, we were focussed on url parameters (hence the choice
>>> of urlencode after it was all put together). I think it makes total sense to
>>> not do the encoding as part of the sig spec, and let the transport choice
>>> dictate which encoding to use.
>>>
>>> I understand what you are saying. having multiple encodings makes
>>> libraries harder, and leads to the issues that motivated base64url over
>>> url-encoding
>>
>>
>> Glad we agree on that.
>>
>
> I agree multiple encodings makes libraries harder :)
>
>
> glad we agree there
>
>
>
> But I think the stark difference between OAuth1 vs 2 wrt to signing
> actually makes the Authorization header less valuable (again, for signing
> only). I'm pretty happy with this because I thought this header was more
> complex for developers anyways (while big corporations with authentication
> infrastructure love it) :) But the reason I think so is that now the header
> is not just the signature, but also the signed payload. This means an
> application isn't just making a http request as before with a bunch of query
> or post parameters. It's instead making a "JSON request" that may or may not
> have query/post params. It's just not as separate as before.
>
>
> I am confused on what point you are trying to make here.
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
- [OAUTH-WG] Understanding the reasoning for Base64 Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Luke Shepard
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Breno
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… John Panzer
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Paul Tarjan
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Ben Laurie
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Luke Shepard
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Evan Gilbert
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Naitik Shah
- Re: [OAUTH-WG] Understanding the reasoning for Ba… Dick Hardt