Re: [OAUTH-WG] access_token and UUID
Justin Richer <jricher@mit.edu> Thu, 27 November 2014 04:22 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9F571A879F for <oauth@ietfa.amsl.com>; Wed, 26 Nov 2014 20:22:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.21
X-Spam-Level:
X-Spam-Status: No, score=-6.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gjylqTQ9wgrA for <oauth@ietfa.amsl.com>; Wed, 26 Nov 2014 20:21:58 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A00BD1A7D80 for <oauth@ietf.org>; Wed, 26 Nov 2014 20:21:57 -0800 (PST)
X-AuditID: 12074425-f798e6d000000d1a-42-5476a6e4aa36
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 7F.4E.03354.4E6A6745; Wed, 26 Nov 2014 23:21:56 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id sAR4LtwZ024661; Wed, 26 Nov 2014 23:21:55 -0500
Received: from [IPv6:2607:fb90:240d:8dac:0:46:6521:2001] ([172.56.34.24]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sAR4Lf0p004858 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 26 Nov 2014 23:21:49 -0500
Date: Wed, 26 Nov 2014 23:21:40 -0500
Message-ID: <kbj7ihyihwcx8m7779p5j53e.1417062100081@email.android.com>
Importance: normal
From: Justin Richer <jricher@mit.edu>
To: HAMANO Tsukasa <hamano@osstech.co.jp>, oauth@ietf.org
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.android.email_384808062020940"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixCmqrftkWVmIweoX/Bbb3hxisTj59hWb A5PHkiU/mTzmX73AHMAUxWWTkpqTWZZapG+XwJXxc8Ul9oKfmhX972+zNTBe1ehi5OSQEDCR OLungxXCFpO4cG89WxcjF4eQwGImiQsfO5kgnI2MEvt7X7FDOLuZJCa+uMYE0sIioCpx/ds3 FhBbWEBXYvfFn2A2r4CbxImWF4xdjBwcnAJCEl27JEDCbEDl09e0gLWKCFhKbHk4jRmiXFDi 5MwnYK3MAiESV3a9ZZvAyDsLSWoWkhSErS7xZ94lZghbUWJK90P2WUDbmAXUJJa1KiELL2Bk W8Uom5JbpZubmJlTnJqsW5ycmJeXWqRroZebWaKXmlK6iREUpuwuqjsYJxxSOsQowMGoxMMr WFgaIsSaWFZcmXuIUZKDSUmUV2txWYgQX1J+SmVGYnFGfFFpTmrxIUYJDmYlEV6pRUA53pTE yqrUonyYlDQHi5I476YffCFCAumJJanZqakFqUUwWRkODiUJ3valQI2CRanpqRVpmTklCGkm Dk6Q4TxAw8WXgQwvLkjMLc5Mh8ifYlSUEuedB9IsAJLIKM2D64WlkVeM4kCvCPNuAaniAaYg uO5XQIOZgAaLTS0FGVySiJCSamCs8FS+9+lxUc/nk97ROt2vPm97sqtxrmuMiAz/qqzOzU9z Ml9P2s28as1Pa5uMzNapmn56Z7Y2BjbrbQiQirFjevY/MuhTwsalgiFH5LamPlhcHKOx/vwW a+/lB0+f4y5M3XNt0prwDEflx6KXb0ncur1u/kPW2h0Fq0SfWFwNqXt2KSqvdkeqEktxRqKh FnNRcSIAlfoBWv4CAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/k19Jr3Tps5tBN3z-GAlAl4Gk2FE
Subject: Re: [OAUTH-WG] access_token and UUID
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 04:22:02 -0000
Yes, they are very compatible. For OAuth's purposes, the uuid is a case sensitive opaque string, so the fact that it could have a looser interpretation with the same semantics is irrelevant. The stricter interpretation rules the day, and importantly the client won't try to do anything special with the value. -- Justin / Sent from my phone / -------- Original message -------- From: HAMANO Tsukasa <hamano@osstech.co.jp> Date:11/26/2014 10:06 PM (GMT-05:00) To: oauth@ietf.org Cc: Subject: [OAUTH-WG] access_token and UUID Hi, I have question about access_token generation. Would it be possible to use access_token that generated as UUID? It seems reasonable so UUID is regarded as safe ID generation algorithm. And in fact such OAuth 2.0 implementations exists. But there is a discrepancy between OAuth 2.0 spec and UUID spec around letter case. RFC 6749 says: > Unless otherwise noted, all the protocol parameter names and values > are case sensitive. > access_token > REQUIRED. The access token issued by the authorization server. RFC 4122 says: > The hexadecimal values "a" through "f" are output as lower case > characters and are case insensitive on input. I mean, access_token should be treated as case sensitive but UUID should be treated as case insensitive. What are your thoughts on that? Thank you. -- Open Source Solution Technology Corporation HAMANO Tsukasa <hamano@osstech.co.jp> fingerprint = 2285 2111 6D34 3816 3C2E A5B9 16BE D101 6069 BE55 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] access_token and UUID HAMANO Tsukasa
- Re: [OAUTH-WG] access_token and UUID Justin Richer
- Re: [OAUTH-WG] access_token and UUID André DeMarre