Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON

Eran Hammer-Lahav <eran@hueniverse.com> Tue, 20 April 2010 15:11 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8B2C028C0CF for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 08:11:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.476
X-Spam-Level:
X-Spam-Status: No, score=-2.476 tagged_above=-999 required=5 tests=[AWL=0.123, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vlDOHb5R7L8n for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 08:11:09 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 106523A69E3 for <oauth@ietf.org>; Tue, 20 Apr 2010 08:11:03 -0700 (PDT)
Received: (qmail 2713 invoked from network); 20 Apr 2010 15:10:54 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 20 Apr 2010 15:10:54 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Tue, 20 Apr 2010 08:10:45 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Tue, 20 Apr 2010 08:10:52 -0700
Thread-Topic: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
Thread-Index: AcrftjtAcJa2QiAqRPWWsp0surawHwA5UwXg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <20100419134825.134951nuzvi35hk4@webmail.df.eu>
In-Reply-To: <20100419134825.134951nuzvi35hk4@webmail.df.eu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 15:11:10 -0000

There seems to be support for this idea with some concerns about complexity. Someone needs to propose text for this including defining the request parameter and schema of the various reply formats.

EHL

> -----Original Message-----
> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
> Sent: Monday, April 19, 2010 4:48 AM
> To: Eran Hammer-Lahav
> Cc: Dick Hardt; OAuth WG
> Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
> 
> 
> > We can also offer both and define a client request parameter (as long
> > as the server is required to make at least one format available).
> 
> +1 on this
> 
> regards,
> Torsten.
> 
> >
> > EHL
> >
> >> -----Original Message-----
> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> >> Behalf Of Dick Hardt
> >> Sent: Sunday, April 18, 2010 9:30 PM
> >> To: OAuth WG
> >> Subject: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
> >>
> >> The AS token endpoint response is encoded as application/x-www-form-
> >> urlencoded
> >>
> >> While this reuses a well known and understood encoding standard, it
> >> is uncommon for a client to receive a message encoded like this. Most
> >> server responses are encoded as XML or JSON. Libraries are NOT
> >> reedily available to parse application/x-www-form-urlencoded results
> >> as this is something that is typically done in the web servers
> >> framework. While parsing the name value pairs and URL un-encoding
> >> them is not hard, many developers have been caught just splitting the
> parameters and forgetting to URL decode the token.
> >> Since the token is opaque and may contain characters that are
> >> escaped, it is a difficult bug to detect.
> >>
> >> Potential options:
> >>
> >> 1) Do nothing, developers should read the specs and do the right thing.
> >>
> >> 2) Require that all parameters are URL safe so that there is no
> >> encoding issue.
> >>
> >> 3) Return results as JSON, and recommend that parameters be URL safe.
> >>
> >> -- Dick
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> 
> 
>