Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 28 April 2010 19:04 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4EF5E3A6C33 for <oauth@core3.amsl.com>; Wed, 28 Apr 2010 12:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.648
X-Spam-Level:
X-Spam-Status: No, score=-0.648 tagged_above=-999 required=5 tests=[AWL=-0.999, BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FvUmjOVFTXVB for <oauth@core3.amsl.com>; Wed, 28 Apr 2010 12:04:15 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.18.13]) by core3.amsl.com (Postfix) with ESMTP id 90E2F3A6BBE for <oauth@ietf.org>; Wed, 28 Apr 2010 12:04:10 -0700 (PDT)
Received: from p4fff1f2f.dip.t-dialin.net ([79.255.31.47] helo=[127.0.0.1]) by smtprelay01.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1O7CY8-0007gk-8z for oauth@ietf.org; Wed, 28 Apr 2010 21:03:56 +0200
Message-ID: <4BD8869A.2080403@lodderstedt.net>
Date: Wed, 28 Apr 2010 21:03:54 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: oauth@ietf.org
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <20100419134825.134951nuzvi35hk4@webmail.df.eu> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4BD2A172.2070401@lodderstedt.net>
In-Reply-To: <4BD2A172.2070401@lodderstedt.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2010 19:04:16 -0000
no one interested any longer in this topic? I would like to prepare a proposal, but I need some feedback. regards, Torsten. Am 24.04.2010 09:44, schrieb Torsten Lodderstedt: > Am 20.04.2010 17:10, schrieb Eran Hammer-Lahav: >> There seems to be support for this idea with some concerns about >> complexity. Someone needs to propose text for this including defining >> the request parameter and schema of the various reply formats. >> > > I would like to prepare some text. Beforehand, I would like to discuss > some ideas in order to come to a rough consensous. > > Basically, I would suggest to only consider cases where the > implementation platform does not directly support URI query parameter > decoding. From my point of view, this are all HTTP responses a client > will need to process. All request parameters, e.g. redirect back to > the web server in the web server flow, will still be delivered as > "application/x-www-form-urlencoded" only, since the web container > automatically prepares this parameters for easy access in the web > application. > > I have compiled a list of candidates: > > 3.5.1. User-Agent Flow > 3.5.1.1. Client Requests Authorization > > fragement of the redirect URL. Change this to base64 encoded XML/JSON, > desired format as request parameter > > 3.5.2. Web Server Flow > 3.5.2.2. Client Requests Access Token > > response formats: application/x-www-form-urlencoded, application/xml, > or application/json > desired format as request parameter > response mime type indicates response format > > 3.5.3. Device Flow > 3.5.3.1. Client Requests Authorization > > proposal see 3.5.2.2. Client Requests Access Token > > 3.5.3.2. Client Requests Access Token > > proposal see 3.5.2.2. Client Requests Access Token > > 3.6.1. Username and Password Flow > 3.6.1.1. Client Requests Access Token > > proposal see 3.5.2.2. Client Requests Access Token > > 3.7.1. Client Credentials Flow > 3.7.1.1. Client Requests Access Token > > proposal see 3.5.2.2. Client Requests Access Token > > 3.7.2. Assertion Flow > 3.7.2.1. Client Requests Access Token > > proposal see 3.5.2.2. Client Requests Access Token > > 4. Refreshing an Access Token > > proposal see 3.5.2.2. Client Requests Access Token > > Any comments? > > regards, > Torsten. >> EHL >> >>> -----Original Message----- >>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net] >>> Sent: Monday, April 19, 2010 4:48 AM >>> To: Eran Hammer-Lahav >>> Cc: Dick Hardt; OAuth WG >>> Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON >>> >>> >>>> We can also offer both and define a client request parameter (as long >>>> as the server is required to make at least one format available). >>> +1 on this >>> >>> regards, >>> Torsten. >>> >>>> EHL >>>> >>>>> -----Original Message----- >>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On >>>>> Behalf Of Dick Hardt >>>>> Sent: Sunday, April 18, 2010 9:30 PM >>>>> To: OAuth WG >>>>> Subject: [OAUTH-WG] application/x-www-form-urlencoded vs JSON >>>>> >>>>> The AS token endpoint response is encoded as application/x-www-form- >>>>> urlencoded >>>>> >>>>> While this reuses a well known and understood encoding standard, it >>>>> is uncommon for a client to receive a message encoded like this. Most >>>>> server responses are encoded as XML or JSON. Libraries are NOT >>>>> reedily available to parse application/x-www-form-urlencoded results >>>>> as this is something that is typically done in the web servers >>>>> framework. While parsing the name value pairs and URL un-encoding >>>>> them is not hard, many developers have been caught just splitting the >>> parameters and forgetting to URL decode the token. >>>>> Since the token is opaque and may contain characters that are >>>>> escaped, it is a difficult bug to detect. >>>>> >>>>> Potential options: >>>>> >>>>> 1) Do nothing, developers should read the specs and do the right >>>>> thing. >>>>> >>>>> 2) Require that all parameters are URL safe so that there is no >>>>> encoding issue. >>>>> >>>>> 3) Return results as JSON, and recommend that parameters be URL safe. >>>>> >>>>> -- Dick >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] application/x-www-form-urlencoded vs J… Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Richard Barnes
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Paul C. Bryan
- Re: [OAUTH-WG] application/x-www-form-urlencoded … David Recordon
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Manger, James H
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Gaurav Rastogi
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Yaron Goland
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Brian Eaton
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Manger, James H
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Yaron Goland
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Allen Tom
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … David Recordon
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … DeWitt Clinton
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Pid
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Greg Brail
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Luke Shepard
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Pid
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Paul C. Bryan
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Paul C. Bryan
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Simone Gianni
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Pid
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Yaron Goland
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Greg Brail
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Brian Eaton