IETF Logo Mail Archive

Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 28 April 2010 19:04 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4EF5E3A6C33 for <oauth@core3.amsl.com>; Wed, 28 Apr 2010 12:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.648
X-Spam-Level:
X-Spam-Status: No, score=-0.648 tagged_above=-999 required=5 tests=[AWL=-0.999, BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FvUmjOVFTXVB for <oauth@core3.amsl.com>; Wed, 28 Apr 2010 12:04:15 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.18.13]) by core3.amsl.com (Postfix) with ESMTP id 90E2F3A6BBE for <oauth@ietf.org>; Wed, 28 Apr 2010 12:04:10 -0700 (PDT)
Received: from p4fff1f2f.dip.t-dialin.net ([79.255.31.47] helo=[127.0.0.1]) by smtprelay01.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1O7CY8-0007gk-8z for oauth@ietf.org; Wed, 28 Apr 2010 21:03:56 +0200
Message-ID: <4BD8869A.2080403@lodderstedt.net>
Date: Wed, 28 Apr 2010 21:03:54 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: oauth@ietf.org
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <20100419134825.134951nuzvi35hk4@webmail.df.eu> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4BD2A172.2070401@lodderstedt.net>
In-Reply-To: <4BD2A172.2070401@lodderstedt.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2010 19:04:16 -0000

no one interested any longer in this topic? I would like to prepare a 
proposal, but I need some feedback.

regards,
Torsten.

Am 24.04.2010 09:44, schrieb Torsten Lodderstedt:
> Am 20.04.2010 17:10, schrieb Eran Hammer-Lahav:
>> There seems to be support for this idea with some concerns about 
>> complexity. Someone needs to propose text for this including defining 
>> the request parameter and schema of the various reply formats.
>>
>
> I would like to prepare some text. Beforehand, I would like to discuss 
> some ideas in order to come to a rough consensous.
>
> Basically, I would suggest to only consider cases where the 
> implementation platform does not directly support URI query parameter 
> decoding. From my point of view, this are all HTTP responses a client 
> will need to process. All request parameters, e.g. redirect back to 
> the web server in the web server flow, will still be delivered as 
> "application/x-www-form-urlencoded" only, since the web container 
> automatically prepares this parameters for easy access in the web 
> application.
>
> I have compiled a list of candidates:
>
> 3.5.1.  User-Agent Flow
> 3.5.1.1.  Client Requests Authorization
>
> fragement of the redirect URL. Change this to base64 encoded XML/JSON, 
> desired format as request parameter
>
> 3.5.2.  Web Server Flow
> 3.5.2.2.  Client Requests Access Token
>
> response formats: application/x-www-form-urlencoded, application/xml, 
> or application/json
> desired format as request parameter
> response mime type indicates response format
>
> 3.5.3.  Device Flow
> 3.5.3.1.  Client Requests Authorization
>
> proposal see 3.5.2.2.  Client Requests Access Token
>
> 3.5.3.2.  Client Requests Access Token
>
> proposal see 3.5.2.2.  Client Requests Access Token
>
> 3.6.1.  Username and Password Flow
> 3.6.1.1.  Client Requests Access Token
>
> proposal see 3.5.2.2.  Client Requests Access Token
>
> 3.7.1.  Client Credentials Flow
> 3.7.1.1.  Client Requests Access Token
>
> proposal see 3.5.2.2.  Client Requests Access Token
>
> 3.7.2.  Assertion Flow
> 3.7.2.1.  Client Requests Access Token
>
> proposal see 3.5.2.2.  Client Requests Access Token
>
> 4.  Refreshing an Access Token
>
> proposal see 3.5.2.2.  Client Requests Access Token
>
> Any comments?
>
> regards,
> Torsten.
>> EHL
>>
>>> -----Original Message-----
>>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
>>> Sent: Monday, April 19, 2010 4:48 AM
>>> To: Eran Hammer-Lahav
>>> Cc: Dick Hardt; OAuth WG
>>> Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
>>>
>>>
>>>> We can also offer both and define a client request parameter (as long
>>>> as the server is required to make at least one format available).
>>> +1 on this
>>>
>>> regards,
>>> Torsten.
>>>
>>>> EHL
>>>>
>>>>> -----Original Message-----
>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>>> Behalf Of Dick Hardt
>>>>> Sent: Sunday, April 18, 2010 9:30 PM
>>>>> To: OAuth WG
>>>>> Subject: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
>>>>>
>>>>> The AS token endpoint response is encoded as application/x-www-form-
>>>>> urlencoded
>>>>>
>>>>> While this reuses a well known and understood encoding standard, it
>>>>> is uncommon for a client to receive a message encoded like this. Most
>>>>> server responses are encoded as XML or JSON. Libraries are NOT
>>>>> reedily available to parse application/x-www-form-urlencoded results
>>>>> as this is something that is typically done in the web servers
>>>>> framework. While parsing the name value pairs and URL un-encoding
>>>>> them is not hard, many developers have been caught just splitting the
>>> parameters and forgetting to URL decode the token.
>>>>> Since the token is opaque and may contain characters that are
>>>>> escaped, it is a difficult bug to detect.
>>>>>
>>>>> Potential options:
>>>>>
>>>>> 1) Do nothing, developers should read the specs and do the right 
>>>>> thing.
>>>>>
>>>>> 2) Require that all parameters are URL safe so that there is no
>>>>> encoding issue.
>>>>>
>>>>> 3) Return results as JSON, and recommend that parameters be URL safe.
>>>>>
>>>>> -- Dick
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email