Re: [OAUTH-WG] temperature check: json input to token endpoint
Justin Richer <jricher@mitre.org> Mon, 12 July 2010 12:48 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A026B3A6989 for <oauth@core3.amsl.com>; Mon, 12 Jul 2010 05:48:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.297
X-Spam-Level:
X-Spam-Status: No, score=-6.297 tagged_above=-999 required=5 tests=[AWL=0.302, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wQE96fxC9yQc for <oauth@core3.amsl.com>; Mon, 12 Jul 2010 05:48:20 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id 990553A6922 for <oauth@ietf.org>; Mon, 12 Jul 2010 05:48:20 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o6CCmRKe020681 for <oauth@ietf.org>; Mon, 12 Jul 2010 08:48:28 -0400
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o6CCmRaf020678; Mon, 12 Jul 2010 08:48:27 -0400
Received: from [129.83.50.65] (129.83.50.65) by imchub2.MITRE.ORG (129.83.29.74) with Microsoft SMTP Server id 8.2.254.0; Mon, 12 Jul 2010 08:48:27 -0400
From: Justin Richer <jricher@mitre.org>
To: Brian Eaton <beaton@google.com>
In-Reply-To: <AANLkTikrrr3n0V44XTr0ArQlDXmeSUEvq8YCsMf89bp6@mail.gmail.com>
References: <AANLkTikrrr3n0V44XTr0ArQlDXmeSUEvq8YCsMf89bp6@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Date: Mon, 12 Jul 2010 08:48:27 -0400
Message-ID: <1278938907.2445.107.camel@localhost.localdomain>
MIME-Version: 1.0
X-Mailer: Evolution 2.28.3
Content-Transfer-Encoding: 7bit
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] temperature check: json input to token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2010 12:48:21 -0000
I'd like to keep form-encoded inputs. I think it makes sense to use a well-established key-value mechanism, and the asymmetry at play here is what the web is made of (post a form, get HTML/XML/JSON/whatever). Along those lines, I'd actually like to relax the restriction of using "POST" and allow for query arguments on the token endpoint as well. Long ago it was argued that the POST requirement was to keep query parameters from leaking into server logs. That's a fine implementation-specific security optimization, but I don't think it belongs mandated in the spec. As a practical matter, I know that for most of my implementations (on small single servers), anyone who's got access to the web server logs have access to the tokens in the database. Were there other reasons for mandating POST here that I'm forgetting? -- Justin On Sun, 2010-07-11 at 00:31 -0400, Brian Eaton wrote: > Hey folks - > > Today, the token endpoint takes form-encoded inputs, and sends JSON > outputs. This requires developers to use both form encoding and a > json parser. > > Many services expose symmetric APIs for non-browser endpoints. For > example, an API call normally takes JSON input and returns JSON > output. > > What do people think about having the token endpoint accept and return JSON? > > Cheers, > Brian > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] temperature check: json input to token… Brian Eaton
- Re: [OAUTH-WG] temperature check: json input to t… Torsten Lodderstedt
- Re: [OAUTH-WG] temperature check: json input to t… Justin Richer
- Re: [OAUTH-WG] temperature check: json input to t… Eran Hammer-Lahav
- Re: [OAUTH-WG] POST-only on token endpoint? [was:… Justin Richer
- Re: [OAUTH-WG] POST-only on token endpoint? [was:… Eran Hammer-Lahav