IETF Logo Mail Archive

Re: [OAUTH-WG] Should registration request be form-urlencoded or JSON?

Dale Olds <olds@vmware.com> Tue, 05 February 2013 07:42 UTC

Return-Path: <olds@rbcon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C664821F858C for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 23:42:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.598
X-Spam-Level:
X-Spam-Status: No, score=-103.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z5KSdVAsUOb1 for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 23:42:24 -0800 (PST)
Received: from mail-pa0-f46.google.com (mail-pa0-f46.google.com [209.85.220.46]) by ietfa.amsl.com (Postfix) with ESMTP id D896321F8545 for <oauth@ietf.org>; Mon, 4 Feb 2013 23:42:24 -0800 (PST)
Received: by mail-pa0-f46.google.com with SMTP id kp14so3880960pab.33 for <oauth@ietf.org>; Mon, 04 Feb 2013 23:42:21 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:sender:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type:x-gm-message-state; bh=lhcK2l2+GEDpqAmg4HDYx6i/Z21YuVE+ypSCJmfb1iM=; b=IDuFluslYU1jfjLT5l+R3pU3SVzi01BSLd8OF0a3UCopMHGlnjdCd1O4qC3V8ytbLZ Gt0YnPg8UwaYl23tUKO3z3kydj83e+8pUUR4jD2hm7smLO8XIfyxrAizKYHK3KsBImzx 562o8ixjqGiwWYY/GaaJ+MLCTvJCUh0W3dEUCuZhOJ0Oc+OWcbI3FmyM3JTAb/2Wz/51 PahvVtJ4mmm4gre4jbB6XMzqVvocX3zZoZj2HgD2vq4XPsinNZS39waKuGU+J0GcDA69 pWtNnKmjDRI/05f4X3Z7+5q38K0XcfBhaxaZ3KyS5fvcUudvZp+ZdQhfnrVYSgDcPfkl evKQ==
X-Received: by 10.66.85.103 with SMTP id g7mr61613392paz.45.1360050141134; Mon, 04 Feb 2013 23:42:21 -0800 (PST)
Received: from ?IPv6:2601:9:5800:33:19c1:68d9:cdbc:9b13? ([2601:9:5800:33:19c1:68d9:cdbc:9b13]) by mx.google.com with ESMTPS id f9sm27299271paz.12.2013.02.04.23.42.19 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 04 Feb 2013 23:42:20 -0800 (PST)
Sender: Dale Olds <olds@rbcon.com>
Message-ID: <5110B7D9.1000001@vmware.com>
Date: Mon, 04 Feb 2013 23:42:17 -0800
From: Dale Olds <olds@vmware.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: oauth@ietf.org
References: <4E1F6AAD24975D4BA5B1680429673943674111BE@TK5EX14MBXC284.redmond.corp.microsoft.com> <B33BFB58CCC8BE4998958016839DE27E068866BF@IMCMBX01.MITRE.ORG>
In-Reply-To: <B33BFB58CCC8BE4998958016839DE27E068866BF@IMCMBX01.MITRE.ORG>
Content-Type: multipart/alternative; boundary="------------070200080302040601020608"
X-Gm-Message-State: ALoCoQkCf51RV7sMKYmgg84fvKgJVKSXp0NELqD/Z8yI3OqzPyMTxDkKNvvIHVo4P5XTkBF4bTP2
Subject: Re: [OAUTH-WG] Should registration request be form-urlencoded or JSON?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Feb 2013 07:42:25 -0000

Rather surprised (and pleased) to see a reference to the UAA here, but I 
would like to make a quick clarification.

Justin, I think we concluded that what the UAA is doing is static client 
registration via SCIM extensions, not dynamic client registrations. The 
UAA has been serving OAuth2 and SCIM requests in the cloudfoundry.com 
PaaS for over a year now -- there was no client registration standard at 
that time, and SCIM provides what we need.

I agree with your point that we should not invent unnecessary standards, 
and SCIM is working quite well for us in combination with OAuth2 for 
static client registrations. That said, I expect we will have a future 
need for dynamic client registrations and that there may be some 
significant differences.

And my preference would also be json in and json out.

--Dale

On 02/04/2013 01:35 PM, Richer, Justin P. wrote:
> Additionally:
>
> This begs the question, why not just do SCIM here? CloudFoundry's UAA 
> has a SCIM class for OAuth clients that they use for dynamic 
> registration today.
>
>  -- Justin
>
>
> On Feb 4, 2013, at 4:25 PM, Mike Jones <Michael.Jones@microsoft.com 
> <mailto:Michael.Jones@microsoft.com>>
>  wrote:
>
>> Now that we're returning the registration state as JSON, it's pretty 
>> inconsistent for the registration request to instead be 
>> form-url-encoded. The case can be made for switching to JSON now - 
>> especially in light of possibly wanting to convey some structured 
>> information at registration time.
>> I realize that this is a big change, but if we're going to do it, we 
>> should do it now.
>> As a precedent, apparently SCIM requests are JSON, rather than 
>> form-url-encoded.
>> -- Mike
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email