Re: [OAUTH-WG] JSON based access token requests for OAuth 2.1

Aaron Parecki <aaron@parecki.com> Tue, 06 October 2020 15:10 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CB933A0AD0 for <oauth@ietfa.amsl.com>; Tue, 6 Oct 2020 08:10:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ax_A1JEftaBh for <oauth@ietfa.amsl.com>; Tue, 6 Oct 2020 08:10:27 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E05FE3A0AC8 for <oauth@ietf.org>; Tue, 6 Oct 2020 08:10:26 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id g7so13342709iov.13 for <oauth@ietf.org>; Tue, 06 Oct 2020 08:10:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9xOCuRz1+cqel5NMeNnwc4TCyiaRhASQtu9sZdOsjxw=; b=TwvXnroOm39WAT3wKkpOrYdzxhx20txsWQ9CA1FvyYT9wUUeT5gr5dxwelm3V/KIrd YHTk1O/HFgLrKbkYx8B/rf8KB48iuQy68xCLKWBG3FObmvQ3m2OzHTMC84gbTCYsImXU qb6kYLwCFPyryp/kY0Z3+imHS86e2ynTpuOfHYZbLgsTPUicrVQa7l26sYCV4nFOx9Gm qF1prQcq69V7ESJjwTgp6uz9zJCTUG114lk+/u/x1U9G0n94/daRbcKgE8tT/MgHmYUF /iN78LO7ET8WngRAWDysPMCSszjcZezwtlNGv9geguk+nUzJCamw10thLrNiShzHrE69 l1Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9xOCuRz1+cqel5NMeNnwc4TCyiaRhASQtu9sZdOsjxw=; b=fD+/qqvG13ErlO89z14ohm09HRmUecD3v8LId/rwchY9phTCn+hhgXYIaCqUl1mdf+ 6Yc7qSaZiZcQomIf8SC4TMlr+AnV906L07CwrVy2yyfCOYjUYLrf7leQZIpAIvT4U5dY GIfMK1w2iksgP/53ivqs41hP8TKfs1DOieZ/dhNeGT7b5mrsrg5XhldgdKitHPLyAXDn 1Gt8D572S+rLOUr8gGm+TJal8LRdtNWWiF0ENn+Le2/iT76Y7dUt0jfeTr30FAgQqxKp cQs150J9UThRSdac5/0oKAdfewr6mSpyA3Cz7xuvyuz8Me1XtUtz3MRGNpkzHkbrn+l5 DpRw==
X-Gm-Message-State: AOAM533UZPEuXQT4yIecG/y4PzWn/iiwnSRxrss5HuQ9A36Z6V9pIbc+ p3ZN0G7UUuvb5/jQc6IpPQiZsALrGNS5Cg==
X-Google-Smtp-Source: ABdhPJwTc3sowe1+bAckIf5TVIK9O7k3ZIAsWqcZr5NW+/Wm+za/a6UFRd5criUY6xnGor8nAgudyA==
X-Received: by 2002:a5d:8b4c:: with SMTP id c12mr1477654iot.167.1601997025378; Tue, 06 Oct 2020 08:10:25 -0700 (PDT)
Received: from mail-io1-f52.google.com (mail-io1-f52.google.com. [209.85.166.52]) by smtp.gmail.com with ESMTPSA id t26sm1596377ioi.11.2020.10.06.08.10.24 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 06 Oct 2020 08:10:24 -0700 (PDT)
Received: by mail-io1-f52.google.com with SMTP id m17so13397529ioo.1 for <oauth@ietf.org>; Tue, 06 Oct 2020 08:10:24 -0700 (PDT)
X-Received: by 2002:a02:605c:: with SMTP id d28mr1656704jaf.12.1601997024254; Tue, 06 Oct 2020 08:10:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAM7dPt1T6YkfOnTdcR65x4E54dnPuwZQ_k2mrMqfiho0eNyzMw@mail.gmail.com>
In-Reply-To: <CAM7dPt1T6YkfOnTdcR65x4E54dnPuwZQ_k2mrMqfiho0eNyzMw@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Tue, 6 Oct 2020 08:10:13 -0700
X-Gmail-Original-Message-ID: <CAGBSGjqkuz=+V0HGPr0CQP77iE6O=fYUR+izOURSipX0hmNHtA@mail.gmail.com>
Message-ID: <CAGBSGjqkuz=+V0HGPr0CQP77iE6O=fYUR+izOURSipX0hmNHtA@mail.gmail.com>
To: Janak Amarasena <janakama360@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008fe64e05b101fff5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vOwbYw4lYjVzEclEnzAaCVFixSk>
Subject: Re: [OAUTH-WG] JSON based access token requests for OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2020 15:10:28 -0000

The spec does clearly require form-encoded POST requests to the token
endpoint, it's not just an implication. The requests made include simple
key/value pairs so there's nothing really gained by making this a JSON
post. Changing that at this point would be a drastic breaking change to
pretty much all existing code for very little benefit if any.

That said, Justin Richer did already write up a draft exploring this topic,
but it hasn't shown much interest in the group yet.

https://www.ietf.org/id/draft-richer-oauth-json-request-00.html

Aaron






On Tue, Oct 6, 2020 at 7:18 AM Janak Amarasena <janakama360@gmail.com>
wrote:

> Hi All,
>
> As per my understanding OAuth 2(RFC6749) doesn't mandate any specific
> media type to be used in the access token request. The spec implies
> application/x-www-form-urlencoded should be used. Since the media type
> application/json is very popular and widely used now, any thoughts on
> referencing the use of this as well for access token requests?
>
> Best Regards,
> Janak Amarasena
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
---
Aaron Parecki
https://aaronparecki.com