Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)
Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 29 April 2010 19:46 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 797503A6ACC for <oauth@core3.amsl.com>; Thu, 29 Apr 2010 12:46:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.627
X-Spam-Level:
X-Spam-Status: No, score=-0.627 tagged_above=-999 required=5 tests=[AWL=-0.978, BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q40blFsU0+SO for <oauth@core3.amsl.com>; Thu, 29 Apr 2010 12:46:07 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.29.7]) by core3.amsl.com (Postfix) with ESMTP id 85ED93A6A2F for <oauth@ietf.org>; Thu, 29 Apr 2010 12:46:06 -0700 (PDT)
Received: from p4fff2ffd.dip.t-dialin.net ([79.255.47.253] helo=[127.0.0.1]) by smtprelay03.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1O7ZgC-0007CG-Uu; Thu, 29 Apr 2010 21:45:49 +0200
Message-ID: <4BD9E1E3.7060107@lodderstedt.net>
Date: Thu, 29 Apr 2010 21:45:39 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Robert Sayre <sayrer@gmail.com>
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <20100419134825.134951nuzvi35hk4@webmail.df.eu> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4BD2A172.2070401@lodderstedt.net> <4BD8869A.2080403@lodderstedt.net> <s2zc334d54e1004281425x5e714eebwcd5a91af593a62ac@mail.gmail.com> <v2j68fba5c51004282044o3a5f96cfucb1157d3884d8cd2@mail.gmail.com>
In-Reply-To: <v2j68fba5c51004282044o3a5f96cfucb1157d3884d8cd2@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: jsmarr@stanfordalumni.org, oauth@ietf.org
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2010 19:46:08 -0000
Hi all, please find below a proposal for adding support for multiple response formats to the specification. I have taken the current version of the draft http://github.com/theRazorBlade/draft-ietf-oauth/raw/master/draft-ietf-oauth.txt and added some modifications indicated by dashed lines. Proposed changes to section 3.5.2 should be applied to 3.5.3, 3.6.1., 3.7.1., 3.7.2, and 4., too. Basically, the idea is that clients indicate the desired format using Accept headers (default) or request parameters (User-Agent flow) and the response is delivered accordingly. The formats considered are application/json, text/xml, and application/x-www-form-urlencoded. And as suggested by Joseph, parameters are encoded straight-forward as flat JSON object or XML document, respectively. I would appriciate regards, Torsten. 3.5.2. Web Server Flow 3.5.2.2. Client Requests Access Token The client obtains an access token from the authorization server by <snip> secret_type OPTIONAL. The access token secret type as described by Section 5.3. If omitted, the authorization server will issue a bearer token (an access token without a matching secret) as described by Section 5.2. -------- A client may indicate the desired response format using an Accept-Header specifying one of the following mime types: application/x-www-form-urlencoded, application/xml, or application/json. If not specified, the default response format is application/json. (Alternatively, the response format could be specified by a query parameter) -------- For example, the client makes the following HTTPS request (line breaks are for display purposes only): POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded -------- Accept: application/json -------- type=web_server&client_id=s6BhdRkqt3& client_secret=gX1fBat3bV&code=i1WsRn1uB1& redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb The authorization server MUST verify that the verification code, client identity, client secret, and redirection URI are all valid and match its stored association. If the request is valid, the authorization server issues an access token and delivers it to the client in the HTTP response body using -------- the mime type as requested by the client or "application/json" -------- with a 200 status code (OK). The response contains the following parameters: access_token REQUIRED. The access token issued by the authorization server. expires_in OPTIONAL. The duration in seconds of the access token lifetime. refresh_token OPTIONAL. The refresh token used to obtain new access tokens using the same end user access grant as described in Section 4. access_token_secret REQUIRED if requested by the client. The corresponding access token secret as requested by the client. -------- The response format depends on the requested mime type. The content-type header field indicates mime type and may optionaly indicate charset. "application/json": All parameters are encoded as one flat JSON object with one key/value pair per parameter. For example: HTTP/1.1 200 OK Content-Type: application/json { "access_token": "SlAV32hkKG", "expires_in": "3600", "refresh_token": "8xLOxBtZp8" } "text/xml": All parameters are encoded as one XML document with the root element <token_response>. For each parameter there is a corresponding sub-element with the parameter name containing the respectives parameters value. For example: HTTP/1.1 200 OK Content-Type: text/xml <token_response> <access_token>SlAV32hkKG <expires_in>3600</expires_in> <refresh_token>8xLOxBtZp8</refresh_token> </token_response> "application/x-www-form-urlencoded": parameters are encoded as name/value pairs -------- For example: HTTP/1.1 200 OK Content-Type: application/x-www-form-urlencoded access_token=SlAV32hkKG&expires_in=3600&refresh_token=8xLOxBtZp8 If the request is invalid, the authorization server returns an error message in the HTTP response body using the -------- the mime type as requested by the client or "application/json" -------- with a 400 status code (Bad Request). The response contains the following parameter: error OPTIONAL. The parameter value MUST be set to either "redirect_uri_mismatch" or "expired_verification_code" (case sensitive). -------- The response format depends on the requested mime type. The response rendering follows the rules as specified above. -------- For example: -------- HTTP/1.1 400 Bad Request Content-Type: application/json { "error"="expired_verification_code" } -------- 3.5.1. User-Agent Flow 3.5.1.1. Client Requests Authorization In order for the end user to grant the client access, the client sends the end user to the authorization server. The client constructs the request URI by adding the following URI query parameters to the user authorization endpoint URI: <snip> -------- response_format OPTIONAL. Indicates the format used to deliver token data and errors to the client. The parameter value MUST be set to "text/xml", "application/json", or "application/x-www-form-urlencoded". Defaults to "application/json" if omitted. -------- 3.5.1.1.1. End User Grants Authorization If the end user authorizes the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters, using the -------- mime type as indicated by "response_format" -------- to the redirection URI fragment: access_token REQUIRED. The access token. expires_in OPTIONAL. The duration in seconds of the access token lifetime. refresh_token OPTIONAL. The refresh token. state REQUIRED if the "state" parameter was present in the client authorization request. Set to the exact value received from the client. access_token_secret REQUIRED if requested by the client. The corresponding access token secret as requested by the client. -------- The way and format parameters are added to the fragment depend on the requested mime type. "application/json": All parameters are encoded as one flat JSON object with one key/value pair per parameter. This document is URL encoded and added as parameter "oauth_response" to the fragment. For example, the authorization server redirects the end user's user- agent by sending the following HTTP response: HTTP/1.1 302 Found Location: http://example.com/rd#oauth_response=%7B+%22access_token%22%3A+%22SlAV32hkKG%22%2C+%22expires_in%22%3A+%223600%22%2C+%22refresh_token%22%3A+%228xLOxBtZp8%22+%7D "text/xml": All parameters are encoded as one XML document with the root element <token_response>. For each parameter there is a corresponding sub-element with the parameter name containing the respectives parameters value. The XML document is URL encoded and added as parameter "oauth_response" to the fragment. For example: HTTP/1.1 302 Found Location: http://example.com/rd#oauth_response=%3Ctoken_response%3E%3Caccess_token%3ESlAV32hkKG%3Cexpires_in%3E3600%3C%2Fexpires_in%3E%3Crefresh_token%3E8xLOxBtZp8%3C%2Frefresh_token%3E%3C%2Ftoken_response%3E "application/x-www-form-urlencoded": All parameter are directly added as parameters to the redirection URI fragment. -------- For example: HTTP/1.1 302 Found Location: http://example.com/rd#access_token=FJQbwq9&expires_in=3600 3.5.1.1.2. End User Denies Authorization If the end user denied the access request, the authorization server responds to the client by adding the following parameters, using the -------- mime type as indicated by "response_format" -------- to the redirection URI fragment: error REQUIRED. The parameter value MUST be set to "user_denied" (case sensitive). state REQUIRED if the "state" parameter was present in the client authorization request. Set to the exact value received from the client. -------- The way and format parameters are added to the fragment depend on the requested mime type and follows the same rules as specified above. -------- For example, the authorization server responds with the following: HTTP/1.1 302 Found Location: http://example.com/rd#oauth_response=%7b+%22error%22%3d%22user%5fdenied%22%7d
- [OAUTH-WG] application/x-www-form-urlencoded vs J… Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Richard Barnes
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Paul C. Bryan
- Re: [OAUTH-WG] application/x-www-form-urlencoded … David Recordon
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Manger, James H
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Gaurav Rastogi
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Yaron Goland
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Brian Eaton
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Manger, James H
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Yaron Goland
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Mike Moore
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Allen Tom
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Dick Hardt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … David Recordon
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Evan Gilbert
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Marius Scurtescu
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … DeWitt Clinton
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Pid
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Joseph Smarr
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Greg Brail
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Torsten Lodderstedt
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Luke Shepard
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Pid
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Paul C. Bryan
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Paul C. Bryan
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Simone Gianni
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Eran Hammer-Lahav
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Pid
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Yaron Goland
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Robert Sayre
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Greg Brail
- Re: [OAUTH-WG] application/x-www-form-urlencoded … Brian Eaton