IETF Logo Mail Archive

Re: [OAUTH-WG] Proposed resolution for issue 26

"Manger, James H" <James.H.Manger@team.telstra.com> Sat, 24 September 2011 14:38 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AE8821F8AF0 for <oauth@ietfa.amsl.com>; Sat, 24 Sep 2011 07:38:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.139
X-Spam-Level:
X-Spam-Status: No, score=-3.139 tagged_above=-999 required=5 tests=[AWL=-2.238, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hzkhz9fsTP5E for <oauth@ietfa.amsl.com>; Sat, 24 Sep 2011 07:38:16 -0700 (PDT)
Received: from ipxavo.tcif.telstra.com.au (ipxavo.tcif.telstra.com.au [203.35.135.200]) by ietfa.amsl.com (Postfix) with ESMTP id CDC0F21F8AEC for <oauth@ietf.org>; Sat, 24 Sep 2011 07:38:14 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.68,435,1312120800"; d="scan'208";a="46501327"
Received: from unknown (HELO ipcdvi.tcif.telstra.com.au) ([10.97.217.212]) by ipoavi.tcif.telstra.com.au with ESMTP; 25 Sep 2011 00:40:47 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,6478"; a="37673651"
Received: from wsmsg3757.srv.dir.telstra.com ([172.49.40.85]) by ipcdvi.tcif.telstra.com.au with ESMTP; 25 Sep 2011 00:40:46 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3757.srv.dir.telstra.com ([172.49.40.85]) with mapi; Sun, 25 Sep 2011 00:40:47 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Sun, 25 Sep 2011 00:40:44 +1000
Thread-Topic: Proposed resolution for issue 26
Thread-Index: Acx5+RoYuC5sLQs0Spy/pi+T441Q9AAxktNw
Message-ID: <255B9BB34FB7D647A506DC292726F6E1128E5D883D@WSMSG3153V.srv.dir.telstra.com>
References: <4E1F6AAD24975D4BA5B16804296739435C1FC6A1@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435C1FC6A1@TK5EX14MBXC285.redmond.corp.microsoft.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Proposed resolution for issue 26
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2011 14:38:17 -0000

> From: Mike Jones
>
> Issue #26 http://trac.tools.ietf.org/wg/oauth/trac/ticket/26 asks whether the semantics of scope strings should be changed to require that the % character be interpreted as introducing a percent-encoded character that follows.  My proposed resolution is that %-encoding not be required in the specification; therefore no textual change would be made to the specification in response to this issue.  The reasoning behind this resolution is as follows:

I disagree. This does not resolve the ambiguity. I think there is some confusion between 1) the internal structure (eg encoding) of a scope string, and 2) escaping done when transporting the scope string in a protocol element.


> 1.  Interpretation of scope strings already requires semantic agreement on the meaning of the scope strings between the parties participating the OAuth flow.  Should an encoding be used for scope strings in a particularly deployment context, it is reasonable for participants to have agreed upon that encoding, just as they agree on other OAuth configuration parameters.

A client app does NOT always need semantic agreement on the meaning of scope strings.
Consider a client app that makes a request to a server and gets a 401 response with 'WWW-Authenticate: Bearer ... scope="XXXXX"'. The client app now knows it can run an OAuth exchange to get the required permission to retry the request, and it should ask for the given scope during that OAuth exchange.
The client app needs to copy XXXXXX from the response header into an OAuth exchange. It does not need to know anything more "semantics" about this scope value. XXXXXXX can be opaque to the client app. The client app does need to know any decode/encode steps involved in transferring this HTTP Bearer response value to an OAuth exchange value.

If "XXXXXXX" is "1%2A2", should the client app redirect the user to
  https://example.org/authz?scope=1%2A2&...
or
  https://example.org/authz?scope=1%252A2&...
(or can the answer vary between different servers!!)


> 2.  More than one encoding methodology could reasonably be employed in scope strings.  For instance, base64url encoding of scope values could be used in some contexts.  Quoting characters with '\' is another possibility.  I see no compelling reason to mandate %-encoding over other potential encoding methods.

Servers can choose any encoding they want (including none) when defining their own scope values (as logical Unicode strings).
That is a separate choice to the encoding that is used in the HTTP Bearer response header when transporting a scope value.


> 3.  Mandating %-encoding unnecessarily complicates implementations without providing a clear compensating benefit sufficient warrant the additional complexity.  For example, it seems unnecessary to mandate that the scope strings "email" and "%65mail" MUST compare as being equal in all implementations.

When the scope string "email" is transported in JSON the receiver MUST compare "\u0065mail" as equal. When it is transported as a URI query parameter the receiver MUST compare "%65mail" as equal. This is normal JSON and query parameter processing.


> 4.  If an encoding methodology for scope strings is mandated, this should be done in the OAuth Core specification - not the OAuth Bearer Token specification.

The core spec implies that a scope value can consist of any Unicode characters except space.
The core spec transports scope values in JSON or url-encoded fields that have well-defined escaping mechanisms that are sufficient to handle all Unicode string, hence all possible scope values.

The Bearer spec transports scope values in an HTTP response header parameter. It defines no escaping mechanism so it cannot handle all Unicode strings (ie it cannot handle all scope values that are possible in core).

It is strange for the Bearer spec to restrict scope values. It should leave that to the core. Hence the Bearer spec should be able to transport any scope value allowed in the core (ie any Unicode string). Hence an escaping mechanism needs to be specified for the HTTP response header scope field. 


> 5.  I am aware of no existing practice that utilizes %-encoding of scope values.

Then a solution that avoids defining an escaping mechanism might work. It requires the Bearer spec to explicitly say "The Bearer mechanism only works with scope values that are limited to these ~90 ASCII characters (that can be transported in an HTTP response header field without an escaping mechanism), which is more restrictive than OAuth core". Or better still if you like this approach, apply this restriction in core to all scope values.


--
James Manger

v2.23.0 | Report a Bug | By Email