IETF Logo Mail Archive

Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)

Marius Scurtescu <mscurtescu@google.com> Fri, 30 April 2010 00:22 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 27E1D3A6CC4 for <oauth@core3.amsl.com>; Thu, 29 Apr 2010 17:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.734
X-Spam-Level:
X-Spam-Status: No, score=-101.734 tagged_above=-999 required=5 tests=[AWL=0.243, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yFcwwnz3HqAY for <oauth@core3.amsl.com>; Thu, 29 Apr 2010 17:22:47 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 2F7643A677D for <oauth@ietf.org>; Thu, 29 Apr 2010 17:22:47 -0700 (PDT)
Received: from hpaq1.eem.corp.google.com (hpaq1.eem.corp.google.com [10.3.21.1]) by smtp-out.google.com with ESMTP id o3U0MWhs015996 for <oauth@ietf.org>; Thu, 29 Apr 2010 17:22:32 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1272586952; bh=fxMnSycqLJ6x6przcPZbRc221Bw=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=lq1SAoUQ0Iczoo4aU31poeGyJgfpGnAZsDx9x3xPTHH7kIa5Pyt7I0GdIwhmd5AiD zYS5sx2eGkX4iFalaDJ8A==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=Vt8nEmY2eGoFPXm+2hzg8Lvi0pUapBBtiEFC4MUo5en6Z5RZfzIGMneZR4yuzJwO2 Z6t2hagkabcc+zKfGem9Q==
Received: from pvd12 (pvd12.prod.google.com [10.241.209.204]) by hpaq1.eem.corp.google.com with ESMTP id o3U0MT7w005832 for <oauth@ietf.org>; Thu, 29 Apr 2010 17:22:30 -0700
Received: by pvd12 with SMTP id 12so1273169pvd.26 for <oauth@ietf.org>; Thu, 29 Apr 2010 17:22:29 -0700 (PDT)
Received: by 10.140.58.7 with SMTP id g7mr241073rva.37.1272586949247; Thu, 29 Apr 2010 17:22:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.14.15 with HTTP; Thu, 29 Apr 2010 17:22:09 -0700 (PDT)
In-Reply-To: <4BD9E1E3.7060107@lodderstedt.net>
References: <9890332F-E759-4E63-96FE-DB3071194D84@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A379B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <20100419134825.134951nuzvi35hk4@webmail.df.eu> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4BD2A172.2070401@lodderstedt.net> <4BD8869A.2080403@lodderstedt.net> <s2zc334d54e1004281425x5e714eebwcd5a91af593a62ac@mail.gmail.com> <v2j68fba5c51004282044o3a5f96cfucb1157d3884d8cd2@mail.gmail.com> <4BD9E1E3.7060107@lodderstedt.net>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Thu, 29 Apr 2010 17:22:09 -0700
Message-ID: <z2w74caaad21004291722k5058ade6k65529dfba73fd04e@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: oauth@ietf.org, jsmarr@stanfordalumni.org
Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON (Proposal)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2010 00:22:49 -0000

On Thu, Apr 29, 2010 at 12:45 PM, Torsten Lodderstedt
<torsten@lodderstedt.net> wrote:
> 3.5.2.  Web Server Flow
> 3.5.2.2.  Client Requests Access Token
>
>   The client obtains an access token from the authorization server by
> <snip>
>   secret_type
>         OPTIONAL.  The access token secret type as described by
>         Section 5.3.  If omitted, the authorization server will issue a
>         bearer token (an access token without a matching secret) as
>         described by Section 5.2.
>
> --------
> A client may indicate the desired response format using an Accept-Header
> specifying
> one of the following mime types: application/x-www-form-urlencoded,
> application/xml,
> or application/json. If not specified, the default response format is
> application/json.
> (Alternatively, the response format could be specified by a query parameter)
> --------
>
>   For example, the client makes the following HTTPS request (line
>   breaks are for display purposes only):
>
>     POST /token HTTP/1.1
>     Host: server.example.com
>     Content-Type: application/x-www-form-urlencoded
> --------
>     Accept: application/json
> --------
>
>     type=web_server&client_id=s6BhdRkqt3&
>     client_secret=gX1fBat3bV&code=i1WsRn1uB1&
>     redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

Why not allow the request to be JSON encoded as well?

The only non-JSON requests and responses are those that go through the
User Agent as query parameters. How about encoding with JSON in these
cases as well and putting the whole JSON blob into a query parameter
named like oauth_request/oauth_response? This would make all
requests/responses  consistent and eliminate possible collisions.

Do we still have to support application/x-www-form-urlencoded?

Marius

v2.23.0 | Report a Bug | By Email