IETF Logo Mail Archive

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Dick Hardt <dick.hardt@gmail.com> Mon, 10 May 2010 00:17 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 607593A6ABA for <oauth@core3.amsl.com>; Sun, 9 May 2010 17:17:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fgu9G6GLIgCi for <oauth@core3.amsl.com>; Sun, 9 May 2010 17:17:37 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 51BA73A6A7A for <oauth@ietf.org>; Sun, 9 May 2010 17:17:36 -0700 (PDT)
Received: by pvc21 with SMTP id 21so38447pvc.31 for <oauth@ietf.org>; Sun, 09 May 2010 17:17:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=9/ZTWbjoZCNGvwmA4m1iCODc1OkinP3g5dTVAwqZioE=; b=U4prJgL33FRB1DnCoMyVa6frpIGavVfkNPSFHI8c1nVeXWSl0icmgtfVr4Kd4B+isJ CsyxDEhIbZgbtyigj06xlZ812WpufVwhxs7j60VubJ+rFzv71qfa+/bW8HVkIJIMODq8 8WyWrmV+oho02AkZHsde+1EyI1BpqHPQbx2mA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=k+xMxo1hN+Gc40cy6/Se9eeNbRCDWV9jZLoCeCT95oZ5QzlHaEALOmYP2z/GSARItP Xxpn1oUeNKzdaQVTE8D991qE5fteBrpXjCqr7zQMboCQ2tUVaJuTm1MlD8eH9hSfSy8A JxQSL1AROOzRX+FDZHy+9Ytr5PoUauAtBVGug=
Received: by 10.115.38.22 with SMTP id q22mr2494654waj.41.1273450641714; Sun, 09 May 2010 17:17:21 -0700 (PDT)
Received: from [192.168.1.102] (64-46-1-217.dyn.novuscom.net [64.46.1.217]) by mx.google.com with ESMTPS id n32sm22747505wae.10.2010.05.09.17.17.20 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 09 May 2010 17:17:20 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Sun, 09 May 2010 17:17:20 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <1F6D82E6-7544-4845-916F-7361165ADA4B@gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1078)
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 00:17:39 -0000

On 2010-05-09, at 2:06 PM, Eran Hammer-Lahav wrote:

> DEADLINE: 5/13
> 
> I would like to publish one more draft before our interim meeting in two weeks (5/20). Below are two open issues we have on the list. Please reply with your preference (or additional solutions) to each item. Issues with consensus will be incorporated into the next draft. Those without will be discussed at the meeting.
> 
> EHL
> 
> ---
> 
> 1. Server Response Format
> 
> After extensive debate, we have a large group in favor of using JSON as the only response format (current draft). We also have a smaller group but with stronger feelings on the subject that JSON adds complexity with no obvious value.
> 
> A. Form-encoded only (original draft)
> B. JSON only (current draft)
> C. JSON as default with form-encoded and XML available with an optional request parameter

I vote for B

I would argue that form-encoded data adds complexity with no obvious value.

*If* a JSON parser is not available, parsing the JSON that is returned is not that much different from parsing form-encoded data (remember that we are only using a very small subset of JSON)

More and more sites are returning both JSON and XML. Eventually everyone will see the light wrt. JSON ;-)

> 
> ---
> 
> 2. Client Authentication (in flows)
> 
> How should the client authenticate when making token requests? The current draft defines special request parameters for sending client credentials. Some have argued that this is not the correct way, and that the client should be using existing HTTP authentication schemes to accomplish that such as Basic.
> 
> A. Client authenticates by sending its credentials using special parameters (current draft)
> B. Client authenticated by using HTTP Basic (or other schemes supported by the server such as Digest)

C. support both flows in the spec. An AS can decide what it wants to support. I would like to retain A as it may be challenging for some clients to use HTTP Basic, and easier for an AS to be always parsing parameters for each flow. I can see the advantages for some in using HTTP Basic.

-- Dick

v2.23.0 | Report a Bug | By Email