IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syntax comments

Julian Reschke <julian.reschke@gmx.de> Mon, 26 September 2011 19:22 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29F531F0C80 for <oauth@ietfa.amsl.com>; Mon, 26 Sep 2011 12:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.152
X-Spam-Level:
X-Spam-Status: No, score=-104.152 tagged_above=-999 required=5 tests=[AWL=-1.553, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F+lkA2ppRXtq for <oauth@ietfa.amsl.com>; Mon, 26 Sep 2011 12:22:31 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id D5EEB1F0C77 for <oauth@ietf.org>; Mon, 26 Sep 2011 12:22:26 -0700 (PDT)
Received: (qmail invoked by alias); 26 Sep 2011 19:24:59 -0000
Received: from p508F9B39.dip.t-dialin.net (EHLO [192.168.178.36]) [80.143.155.57] by mail.gmx.net (mp043) with SMTP; 26 Sep 2011 21:24:59 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/Z1jITJmPZknAryWllILjmW+ch0C1uA98EiECY8O erMiPopK5TsCtW
Message-ID: <4E80D189.8050005@gmx.de>
Date: Mon, 26 Sep 2011 21:24:57 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435C1FD669@TK5EX14MBXC285.redmond.corp.microsoft.com> <4E7DC7DD.5010407@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C2148AE@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435C2148AE@TK5EX14MBXC285.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08 HTTP syntax comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2011 19:22:32 -0000

On 2011-09-26 21:03, Mike Jones wrote:
> ...
> No, b64token isn’t always there; the syntax specifies that either a
> b64token OR one or more auth-params will be present. Yes, that’s intended.

OK then; just checking :-)

 > ...
> This was the working group decision at the interim meeting and is used
> in both the core and bearer drafts. I believe that UTF-8 is a reasonable
> outcome. Unless there’s a clear consensus to change both specifications,
> I believe that this should stay as-is.
> ...

This is a serialization issue. Just because one encoding is right in one 
place doesn't mean it's right somewhere else.

>  > There was an explicit working decision not to include language codes.
>
> I didn't ask for language codes :-)
>
> OK. Others had been asking for them before the interim meeting, hence my
> confusion.
>
>  > This is recorded in the meeting minutes sent to the list by Hannes
>
>  > Tschofenig on 6/3/11. The key part of the minutes is:
>
>  >
>
>  > *** Error Description ***
>
>  >
>
>  > Agreement among the participants that the error codes are meant for
>
>  > consumption by the developer rather than the end user. Hence, language
>
>  > codes are not important nor a human readable version that is supposed
>
>  > to be understood by end users.
>
> In which case I recommend to stick to plain ASCII.
>
> Again, the working group explicitly decided to move from plain ASCII to
> UTF-8.
> ...

I think you need to make a conscious decision about the purpose. If it 
needs to support non-ASCII then using raw UTF-8 in the param may cause 
problems as explained above.

>  ...
>  > The reply syntax is intentionally restricted to simplify
> implementations.
>
> Special-casing the syntax *complicates* implementations. Using common
> constructs allows re-using existing parsing code and thus make things
> easier.
>
> Consider a browser seeing the credentials. It needs to parse the field
> value for multiple challenges, and the only way for this to work is to
> have predictable syntax for parameters.
>
> The philosophy behind the syntax restriction is that interoperability is
> often increased if implementations are prepared to handle all the cases
> that may arise. Having these cases be part of a fixed, enumerated set
> helps achieve this. Parsing is the easy part; understanding and
> meaningfully handling the semantics of the messages is the harder part,
> which is why this restriction intentionally imposes boundaries – so as
> to limit the cases that implementations need to be prepared handle.

First of all: it's pretty clear that you haven't written a conforming 
parser for WWW-Authenticate yet; you may want to look at the test cases 
at <http://greenbytes.de/tech/tc/httpauth/>.

Parsing definitively is *not* simple, and adding special cases over the 
generic syntax will make it even harder.

In particular, using double quotes for something that isn't a quoted 
string is incompatible with the base syntax. (Yes, this is a show-stopper).


>  > 4. IANA Considerations
>
>  >
>
>  > -> If you have a dependency on HTTPbis then you should also add the
>
>  >
>
>  > registration for the authentication scheme as defined in HTTPbis P7.
>
>  >
>
>  > Done
>
> Thanks.
>
> Now that you have switched to HTTPbis you probably can get rid of the
> reference to RFC 2617.
>
> The remaining reference is informational – not normative.
> ...

Yes, but what is it for?

Best regards, Julian

v2.23.0 | Report a Bug | By Email