Re: [OAUTH-WG] Encoding of Errors in the Base and in the Bearer Spec
Mike Jones <Michael.Jones@microsoft.com> Wed, 09 May 2012 22:42 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11AB911E80EF for <oauth@ietfa.amsl.com>; Wed, 9 May 2012 15:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.914
X-Spam-Level:
X-Spam-Status: No, score=-3.914 tagged_above=-999 required=5 tests=[AWL=-0.315, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6jC1p-glr3n for <oauth@ietfa.amsl.com>; Wed, 9 May 2012 15:42:44 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe006.messaging.microsoft.com [213.199.154.209]) by ietfa.amsl.com (Postfix) with ESMTP id 9A0A711E8086 for <oauth@ietf.org>; Wed, 9 May 2012 15:42:43 -0700 (PDT)
Received: from mail89-am1-R.bigfish.com (10.3.201.226) by AM1EHSOBE005.bigfish.com (10.3.204.25) with Microsoft SMTP Server id 14.1.225.23; Wed, 9 May 2012 22:42:42 +0000
Received: from mail89-am1 (localhost [127.0.0.1]) by mail89-am1-R.bigfish.com (Postfix) with ESMTP id CA952C02A8; Wed, 9 May 2012 22:42:42 +0000 (UTC)
X-SpamScore: -38
X-BigFish: VS-38(zz9371I14ffI542M1432Nc1dMzz1202hzz1033IL8275dhz2fh2a8h668h839h944hd25h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail89-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC102.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail89-am1 (localhost.localdomain [127.0.0.1]) by mail89-am1 (MessageSwitch) id 1336603361527608_31411; Wed, 9 May 2012 22:42:41 +0000 (UTC)
Received: from AM1EHSMHS016.bigfish.com (unknown [10.3.201.233]) by mail89-am1.bigfish.com (Postfix) with ESMTP id 7C894340043; Wed, 9 May 2012 22:42:41 +0000 (UTC)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS016.bigfish.com (10.3.207.154) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 9 May 2012 22:42:40 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.230]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.02.0298.005; Wed, 9 May 2012 22:42:25 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eran Hammer <eran@hueniverse.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org WG" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Encoding of Errors in the Base and in the Bearer Spec
Thread-Index: AQHNLjAPfUna+mufcUmIKpLKwMV+D5bCC2sAgAAA8VCAAAEbMA==
Date: Wed, 09 May 2012 22:42:24 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943664CE3CC@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <7D98C51F-84D8-48AA-B94D-EABE4D0921DB@gmx.net> <0CBAEB56DDB3A140BA8E8C124C04ECA201026B48@P3PWEX2MB008.ex2.secureserver.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [OAUTH-WG] Encoding of Errors in the Base and in the Bearer Spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 22:42:45 -0000
Typo. The first sentence below should have started "There was a DISCUSS on the *bearer* spec"... -----Original Message----- From: Mike Jones Sent: Wednesday, May 09, 2012 3:41 PM To: 'Eran Hammer'; Hannes Tschofenig; oauth@ietf.org WG Subject: RE: [OAUTH-WG] Encoding of Errors in the Base and in the Bearer Spec There was a DISCUSS on the core spec asking us to cite the character set restrictions for scope and error values in the core spec, rather than defining them in the bearer spec. It turns out that I could not do that as the core spec is currently written, because the character set restrictions are not present in the core spec. If they are added to the core spec, I can satisfy the bearer DISCUSS by doing so. If the restrictions are not added, I cannot. This consensus call is part of resolving this DISCUSS, which affects both specs. -- Mike -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer Sent: Wednesday, May 09, 2012 3:35 PM To: Hannes Tschofenig; oauth@ietf.org WG Subject: Re: [OAUTH-WG] Encoding of Errors in the Base and in the Bearer Spec I am confused by the process here. The IESG review raised a LONG list of discuss items for the core specification. I was able to successfully address all but three remaining issues: 1. Lack of ABNF - I will do it myself this week since no one else bothered to offer their help. 2. Registry rules - waiting for this to be cleared; have addressed the issue but didn't hear back yet. 3. Comment on not allowing a fragment in redirection and endpoint URIs - waiting for text or item closed. Every other issue for this document has been closed. This WG cannot just go back after WG LC, IETF LC, and IESG review and make changes. This work is done, and any change made at this point must be for the sole purpose of addressing a discuss item. There are no discuss items for *this* document related to errors. They have all been raised in detail, addressed, and closed! As for this survey - While I am still very much opposed to adding the protected resource registry function to the core specification, this new issue clearly demonstrate that this is not simply a matter of adding another error location. The core spec currently provides full guidance and definition for error extensibility. Extending the registry's scope means the need for non-trivial new text that: * explains the process of adding new errors for endpoints not defined by this specification, * finds a common ground for value restrictions beyond what is already listed, * guide authors of future HTTP authentication schemes meant for use with OAuth (e.g. MAC) for their requirements for using the error registry, and * address the very likely scenario of the same error code carrying different meanings in different endpoints, or an extension that adds a location to a code already defined elsewhere - something very likely to happen if you cross the two very different domains (OAuth endpoints, Protected resource endpoints). This requires changing the entire structure of the registry to create separate records for each code/location pair. Any change to the core specification MUST address all these items. This is absolutely NOT a matter of simply adding another location or throwing some extra ABNF. Adding such new text will require another IETF LC and another IESG review - which are completely unjustified based on where the document is in its IESG review process. The point of IESG review is to close issues with minimal changes, not take it as an opportunity to sneak new functionality into the document. And it's not like this WG has not debated these items before, and made consensus calls on them. Not adding the protected resource location to the registry was the result of intense negotiation both on the list and by the design committee. What was the point of asking a few of us to spend hours on the phone debating these issues and reaching a conclusion if it's another popularity contest now. We had FULL consensus by the design committee NOT to add the bearer errors to the core specification, and this recommendation was fully supported by the WG and documented in the issues tracker. These WG surveys are an insult to proper process. EH > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Hannes Tschofenig > Sent: Wednesday, May 09, 2012 3:07 PM > To: oauth@ietf.org WG > Subject: [OAUTH-WG] Encoding of Errors in the Base and in the Bearer > Spec > > Hi all, > > another issue that came up in Sean's IESG review was about the > encoding of the error / error_description / error_uri in the base and > in the bearer specification. > > As mentioned in my earlier mail about the registry for the error codes > there are three error fields defined in the two specification and the > error / error_description / error_uri fields are allowed to appear in > different parts of an HTTP message. > Depending on where they show up different encoding restrictions apply. > > For the core specification these error fields may appear in the > * body of the HTTP message (encoded in JSON) > * parameters to the query component of the redirection URI (using the > "application/x-www-form-urlencoded" format) > > For the bearer specification these error fields appear in the HTTP header. > Consequently, http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-19 > says 'values for the "error" and "error_description" attributes MUST > NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.' > > Now, here is the question. While these errors are essentially copied > over from one spec to the other the different encoding restrictions > make them different. Do we want different encodings of errors in the two documents? > > So, I see two options: > > 1) Leave the encoding as it is. This means the encoding of the error / > error_description / error_uri in the two specifications is different. > > 2) Harmonize the encoding between the two specifications by > incorporating the restrictions from the bearer specification into the base specification. > > Please indicate your preference by the end of next week (18th May 2012). > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Encoding of Errors in the Base and in … Hannes Tschofenig
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Mike Jones
- Re: [OAUTH-WG] Encoding of Errors in the Base and… William Mills
- Re: [OAUTH-WG] Encoding of Errors in the Base and… John Bradley
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Eran Hammer
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Mike Jones
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Mike Jones
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Nat Sakimura
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Eran Hammer
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Mike Jones
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Eran Hammer
- Re: [OAUTH-WG] Encoding of Errors in the Base and… George Fletcher
- Re: [OAUTH-WG] Encoding of Errors in the Base and… SM
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Eran Hammer
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Murray S. Kucherawy
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Eran Hammer
- Re: [OAUTH-WG] Encoding of Errors in the Base and… Hannes Tschofenig