Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
Justin Richer <jricher@mitre.org> Fri, 15 June 2012 18:53 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC46711E80BE for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.398
X-Spam-Level:
X-Spam-Status: No, score=-6.398 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BxChu4dUxXvb for <oauth@ietfa.amsl.com>; Fri, 15 Jun 2012 11:53:31 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id BF06311E809F for <oauth@ietf.org>; Fri, 15 Jun 2012 11:53:30 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 4102B21B1B19; Fri, 15 Jun 2012 14:53:30 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 30C5F21B15C8; Fri, 15 Jun 2012 14:53:30 -0400 (EDT)
Received: from [129.83.50.12] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.283.3; Fri, 15 Jun 2012 14:53:30 -0400
Message-ID: <4FDB8499.2050808@mitre.org>
Date: Fri, 15 Jun 2012 14:53:13 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <9dbeab60-8fe4-4828-9c52-d7af95378f4c@email.android.com> <0ec59f35-4a66-4719-adf3-114dab0d1d48@email.android.com> <40240328-0247-4278-BB7B-BE89AE130076@ve7jtb.com> <a55ad34e52e0f9755e548106d27c4b8c@treenet.co.nz> <4FDB593B.4080508@aol.com>, <4E1F6AAD24975D4BA5B16804296739436654ABB1@TK5EX14MBXC283.redmond.corp.microsoft.com> <DDC84727-1B5F-48AD-AC3F-DB9700838955@hueniverse.com> <4E1F6AAD24975D4BA5B16804296739436654B001@TK5EX14MBXC283.redmond.corp.microsoft.com> <MLQM-20120615143106586-5342@mlite.mitre.org>
In-Reply-To: <MLQM-20120615143106586-5342@mlite.mitre.org>
Content-Type: multipart/alternative; boundary="------------020904090308020202020900"
X-Originating-IP: [129.83.31.51]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: Discussion needed on username and password ABNF definitions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 18:53:34 -0000
So it's been pointed out to me that percent encoding like this would break any clients that already have % in their client_id who are using the Basic auth. My question to the group is: how many of these are out there, really? Do we really have to worry about them? Right now, those are just hyptothetical, whereas clients with a : are real. Considering there already are (at the moment, technically noncompliant) clients using : who aren't using basic that we're definitely trying to support (otherwise this issue wouldn't be coming up), I would argue in favor of the known-existence side as opposed to the potential-existence side. Which is to say, use percent encoding (which is established and referenceable from another spec) and call it a day. What *really* bothers me about the strawman proposal is that it's making up a new, arbitrary encoding mechanism for one corner case. This is such a tiny and oddly specific-to-OAuth2 thing that my gut instinct tells me this is going to be either: 1) ignored 2) implemented wrong 3) coupled with some other encoding mechanism for people who want to do other things like internationalization -- Justin On 06/15/2012 02:15 PM, Justin Richer wrote: > Why not percent encoding for just colon and percent? > > -- Justin > > On 06/15/2012 01:30 PM, Mike Jones wrote: >> >> I was asked a question off-list, which I think is worth answering >> on-line. The question was: Why the Tab character, rather than >> %-encoding? >> >> Introducing % encoding would break all existing OAuth 2.0 deployments >> using HTTP Basic. A non-starter... >> >> Tab is legal in HTTP Basic but not in URLs or presently client_ids. >> It's also a character that can be visibly rendered in an acceptable >> manner for debugging. The other choices were CR and LF, which are >> also legal in HTTP Basic but wouldn't render very nicely. ;-) >> >> Cheers, >> >> -- Mike >> >> *From:*Mike Jones >> *Sent:* Friday, June 15, 2012 9:30 AM >> *To:* 'Eran Hammer' >> *Cc:* George Fletcher; oauth@ietf.org >> *Subject:* RE: [OAUTH-WG] Dynamic clients, URI, and stuff Re: >> Discussion needed on username and password ABNF definitions >> >> I agree with Eran that I prefer that this not be underspecified and >> that an encoding for just colon for just Basic will suffice. >> >> I'd suggested the encoding s/:/<tab>/g as a strawman. Are there any >> other encoding proposals? >> >> -- Mike >> >> *From:*Eran Hammer [mailto:eran@hueniverse.com] >> <mailto:[mailto:eran@hueniverse.com]> >> *Sent:* Friday, June 15, 2012 9:26 AM >> *To:* Mike Jones >> *Cc:* George Fletcher; oauth@ietf.org <mailto:oauth@ietf.org> >> *Subject:* Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: >> Discussion needed on username and password ABNF definitions >> >> We should not leave this under specified. Picking an encoding for >> just Basic and just colon is simple enough. >> >> EH >> >> On Jun 15, 2012, at 19:17, "Mike Jones" <Michael.Jones@microsoft.com >> <mailto:Michael.Jones@microsoft.com>> wrote: >> >> Based on use cases I'm seeing, believe it's important to allow >> the use of URIs as client_id values (which means allowing ":" in >> the client_id string). I'm OK with us either specifying a >> specific encoding when using them in Basic or simply saying that >> "When client_ids are used with HTTP Basic that contain characters >> such as ":" not allowed in HTTP Basic usernames, then the >> participants will need to agree upon a method of encoding the >> client_id for use with HTTP Basic. >> >> -- Mike >> >> *From:*oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> >> [mailto:oauth-bounces@ietf.org] >> <mailto:[mailto:oauth-bounces@ietf.org]> *On Behalf Of *George >> Fletcher >> *Sent:* Friday, June 15, 2012 8:48 AM >> *To:* oauth@ietf.org <mailto:oauth@ietf.org> >> *Subject:* Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re: >> Discussion needed on username and password ABNF definitions >> >> +1 for a simple encoding and allowing ':' in the client_id >> >> On 6/13/12 6:53 PM, Amos Jeffries wrote: >> >> On 14.06.2012 06:40, John Bradley wrote: >> >> That would probably work as well. That is why I am not particularly >> concerned about excluding the : >> >> We originally used the URI itself, mostly for convenience of >> debugging, but there are other potential options. >> >> The authorization server needs to compare the client_id and the >> redirect uri. But it could compare the hash with not much more work. >> Also a sha256 hash is probably longer than the uri it is hashing. >> >> I am not super concerned with being able to have : in the client_id >> >> John B. >> >> >> >> If I'm following all these threads correctly the only explicit >> problem with URI in client_id is HTTP username field being : >> terminated. >> As such it does not have to be a hash per-se, just an encoding >> that removes ":" and other reserved characters from the on-wire >> form *when sent via HTTP*. >> >> AYJ >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… John Bradley
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… John Bradley
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Amos Jeffries
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Jianhua Shao
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Eran Hammer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… George Fletcher
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Brian Campbell
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Eran Hammer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… William Mills
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Mike Jones
- Re: [OAUTH-WG] Dynamic clients, URI, and stuff Re… Justin Richer