Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syntax comments
Julian Reschke <julian.reschke@gmx.de> Mon, 26 September 2011 19:22 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29F531F0C80 for <oauth@ietfa.amsl.com>; Mon, 26 Sep 2011 12:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.152
X-Spam-Level:
X-Spam-Status: No, score=-104.152 tagged_above=-999 required=5 tests=[AWL=-1.553, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F+lkA2ppRXtq for <oauth@ietfa.amsl.com>; Mon, 26 Sep 2011 12:22:31 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id D5EEB1F0C77 for <oauth@ietf.org>; Mon, 26 Sep 2011 12:22:26 -0700 (PDT)
Received: (qmail invoked by alias); 26 Sep 2011 19:24:59 -0000
Received: from p508F9B39.dip.t-dialin.net (EHLO [192.168.178.36]) [80.143.155.57] by mail.gmx.net (mp043) with SMTP; 26 Sep 2011 21:24:59 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/Z1jITJmPZknAryWllILjmW+ch0C1uA98EiECY8O erMiPopK5TsCtW
Message-ID: <4E80D189.8050005@gmx.de>
Date: Mon, 26 Sep 2011 21:24:57 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435C1FD669@TK5EX14MBXC285.redmond.corp.microsoft.com> <4E7DC7DD.5010407@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C2148AE@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435C2148AE@TK5EX14MBXC285.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syntax comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2011 19:22:32 -0000
On 2011-09-26 21:03, Mike Jones wrote: > ... > No, b64token isn’t always there; the syntax specifies that either a > b64token OR one or more auth-params will be present. Yes, that’s intended. OK then; just checking :-) > ... > This was the working group decision at the interim meeting and is used > in both the core and bearer drafts. I believe that UTF-8 is a reasonable > outcome. Unless there’s a clear consensus to change both specifications, > I believe that this should stay as-is. > ... This is a serialization issue. Just because one encoding is right in one place doesn't mean it's right somewhere else. > > There was an explicit working decision not to include language codes. > > I didn't ask for language codes :-) > > OK. Others had been asking for them before the interim meeting, hence my > confusion. > > > This is recorded in the meeting minutes sent to the list by Hannes > > > Tschofenig on 6/3/11. The key part of the minutes is: > > > > > > *** Error Description *** > > > > > > Agreement among the participants that the error codes are meant for > > > consumption by the developer rather than the end user. Hence, language > > > codes are not important nor a human readable version that is supposed > > > to be understood by end users. > > In which case I recommend to stick to plain ASCII. > > Again, the working group explicitly decided to move from plain ASCII to > UTF-8. > ... I think you need to make a conscious decision about the purpose. If it needs to support non-ASCII then using raw UTF-8 in the param may cause problems as explained above. > ... > > The reply syntax is intentionally restricted to simplify > implementations. > > Special-casing the syntax *complicates* implementations. Using common > constructs allows re-using existing parsing code and thus make things > easier. > > Consider a browser seeing the credentials. It needs to parse the field > value for multiple challenges, and the only way for this to work is to > have predictable syntax for parameters. > > The philosophy behind the syntax restriction is that interoperability is > often increased if implementations are prepared to handle all the cases > that may arise. Having these cases be part of a fixed, enumerated set > helps achieve this. Parsing is the easy part; understanding and > meaningfully handling the semantics of the messages is the harder part, > which is why this restriction intentionally imposes boundaries – so as > to limit the cases that implementations need to be prepared handle. First of all: it's pretty clear that you haven't written a conforming parser for WWW-Authenticate yet; you may want to look at the test cases at <http://greenbytes.de/tech/tc/httpauth/>. Parsing definitively is *not* simple, and adding special cases over the generic syntax will make it even harder. In particular, using double quotes for something that isn't a quoted string is incompatible with the base syntax. (Yes, this is a show-stopper). > > 4. IANA Considerations > > > > > > -> If you have a dependency on HTTPbis then you should also add the > > > > > > registration for the authentication scheme as defined in HTTPbis P7. > > > > > > Done > > Thanks. > > Now that you have switched to HTTPbis you probably can get rid of the > reference to RFC 2617. > > The remaining reference is informational – not normative. > ... Yes, but what is it for? Best regards, Julian
- [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syn… Julian Reschke
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Peter Saint-Andre
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Julian Reschke
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… William Mills
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Julian Reschke
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Julian Reschke
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP… Julian Reschke