IETF Logo Mail Archive

Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer

Paul Madsen <paul.madsen@gmail.com> Tue, 06 March 2012 16:30 UTC

Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CD8821F87A0 for <oauth@ietfa.amsl.com>; Tue, 6 Mar 2012 08:30:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VZxkiiwXiigp for <oauth@ietfa.amsl.com>; Tue, 6 Mar 2012 08:30:05 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 11E4021F86C4 for <oauth@ietf.org>; Tue, 6 Mar 2012 08:29:54 -0800 (PST)
Received: by ghbg16 with SMTP id g16so2612572ghb.31 for <oauth@ietf.org>; Tue, 06 Mar 2012 08:29:53 -0800 (PST)
Received-SPF: pass (google.com: domain of paul.madsen@gmail.com designates 10.236.173.202 as permitted sender) client-ip=10.236.173.202;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of paul.madsen@gmail.com designates 10.236.173.202 as permitted sender) smtp.mail=paul.madsen@gmail.com; dkim=pass header.i=paul.madsen@gmail.com
Received: from mr.google.com ([10.236.173.202]) by 10.236.173.202 with SMTP id v50mr35008266yhl.102.1331051393686 (num_hops = 1); Tue, 06 Mar 2012 08:29:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=PVzxAZy0tpeIBOr2f+sP9K+wGq3eAT73h9T/UF8h0C8=; b=cL9+PoBLar0520iv7oslX1S/9fTILxgm0SgoWi1k17bluvJCjgJXE/k5URd88OPQbG kshb1bGnpq61ycJG6//Chc/u27OjaVJiR7/N/q4p8MAcw4ods93zDqut3wcigRx/AJIs qdTuFgipjdCAbdhoGZX7+5Uk3793QRjI9wsfNYMzsJlhHxNyEcQpU1v+XmifEWqN6zYM 5B00sgrZr3OtvNT/A1/qt9QMF7rCn8/bdOknOZlqf0pYvF01zMIWGB4obTuc6wMaozdr zJrnDuxgHti6D0x4cJ73yQhFIn1Mul1UOscd5DPJ+lnKE38HrXINHJKm+j024oGsY5tR UfxQ==
Received: by 10.236.173.202 with SMTP id v50mr27705704yhl.102.1331051393608; Tue, 06 Mar 2012 08:29:53 -0800 (PST)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.162.33]) by mx.google.com with ESMTPS id i7sm12625659ani.17.2012.03.06.08.29.41 (version=SSLv3 cipher=OTHER); Tue, 06 Mar 2012 08:29:42 -0800 (PST)
Message-ID: <4F563B74.6000301@gmail.com>
Date: Tue, 06 Mar 2012 11:29:40 -0500
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCTTsqJZ7XzjA1qgxEJcyU0uio5EN2=yvs+h6ja1JEymiQ@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E114EDF66EE8@WSMSG3153V.srv.dir.telstra.com> <4E1F6AAD24975D4BA5B1680429673943663DB078@TK5EX14MBXC283.redmond.corp.microsoft.com> <CA+k3eCS71Lhfffu-D_mZ=emk_rR7FASdSjpu+j1KnJWytSEXLw@mail.gmail.com>
In-Reply-To: <CA+k3eCS71Lhfffu-D_mZ=emk_rR7FASdSjpu+j1KnJWytSEXLw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------030402000801010707030308"
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2012 16:30:06 -0000

as one of the unnamed 'confused colleagues', I'd welcome clarification

paul

On 3/6/12 11:23 AM, Brian Campbell wrote:
> Thanks Mike, I think changing the example would be helpful.
>
> However I think that including some text along the lines of what James
> suggested would also be very valuable. I agree that the connection
> between OAuth and Bearer could and should be made more explicit. And
> that the implications of the b64token syntax, particularly on what AS
> can use to construct ATs, could/should be made more clear.
>
> I can propose some specific text (building on James') if others in the WG agree?
>
>
> On Mon, Mar 5, 2012 at 5:32 PM, Mike Jones<Michael.Jones@microsoft.com>  wrote:
>> I'm fine with changing the example to make it clearer that b64token allows a wider range of characters than just those legal for base64 and base64url encodings of data values.
>>
>> I'll add it to my to-do list for any additional edits for the Bearer spec.
>>
>>                                 -- Mike
>>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Manger, James H
>> Sent: Monday, March 05, 2012 3:33 PM
>> To: Brian Campbell; oauth
>> Subject: Re: [OAUTH-WG] question about the b64token syntax in draft-ietf-oauth-v2-bearer
>>
>> Brian,
>>
>>> On casual reading of "The OAuth 2.0 Authorization Protocol: Bearer
>>> Tokens"* I've encountered several people (including myself) who have
>>> made the assumption that the name b64token implies that some kind of
>>> base64 encoding/decoding on the access token is taking place between
>>> the client and RS.
>>>
>>> Digging a bit deeper in to "HTTP/1.1, part 7: Authentication"**,
>>> however, I see that b64token is just an ABNF syntax definition
>>> allowing for characters typically used in base64, base64url, etc.. So
>>> the b64token doesn't define any encoding or decoding but rather just
>>> defines what characters can be used in the part of the Authorization
>>> header that will contain the access token.
>>>
>>> Do I read this correctly?
>> Yes.
>>
>>> If so, I feel like some additional clarifying text in the Bearer
>>> Tokens draft might help avoid what is (based on my small sample) a
>>> common point of misunderstanding.
>> Changing the example bearer token should be a simple way to avoid some confusion by showing that it does not have to be base64 encoding. How about changing:
>>   Authorization: Bearer vF9dft4qmT
>> to
>>   Authorization: Bearer vF9.dft4.qmT
>>
>> The Bearer spec has lots of (unnecessary) text about OAuth, but doesn't quite manage to be precise about how OAuth and Bearer connect. It could explicitly state that the string value of the "access_token" member of an access token response is the bearer token. The "access_token" string value (after unescaping any JSON-escapes) MUST match the b64token ABNF so it can be used with the Bearer HTTP scheme. Such text could be put in §5.1.1 where the "Bearer" OAuth access token type is defined.
>>
>>
>>> Also, does the use of b64token implicitly limit the allowed characters
>>> that an AS can use to construct a bearer access token?
>> Yes.
>>
>>
>>> * http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-17#section-2.1
>>> **
>>> http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-18#section-2.1
>> --
>> James Manger
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email