Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
Evan Gilbert <uidude@google.com> Thu, 20 May 2010 13:54 UTC
Return-Path: <uidude@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD7BD3A6BF3 for <oauth@core3.amsl.com>; Thu, 20 May 2010 06:54:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.282
X-Spam-Level:
X-Spam-Status: No, score=-100.282 tagged_above=-999 required=5 tests=[AWL=-0.906, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G2u+fmfxBIL5 for <oauth@core3.amsl.com>; Thu, 20 May 2010 06:54:08 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 5F0463A6BBC for <oauth@ietf.org>; Thu, 20 May 2010 06:54:04 -0700 (PDT)
Received: from wpaz5.hot.corp.google.com (wpaz5.hot.corp.google.com [172.24.198.69]) by smtp-out.google.com with ESMTP id o4KDrrJY017539 for <oauth@ietf.org>; Thu, 20 May 2010 06:53:54 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1274363634; bh=BEHl+17V+9a1K58yD7Qo3KCRjg4=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=UX7C+0Xef5qBfWfHe60scjoq8qnmCCYj+tiO86+7jj0/MBmdhsmHNG+u3qnkxX+1F N7kYp0rdjanaqXkFMH5/A==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=EZjgKGhNFQxKTgefPPXkQ3sGYn65NDfRT0YFwfaDvfh2C1RltbXsx0ol0F3dt27S4 bp2uieubF6Mp2YMEwuueg==
Received: from qyk15 (qyk15.prod.google.com [10.241.83.143]) by wpaz5.hot.corp.google.com with ESMTP id o4KDrpKZ016350 for <oauth@ietf.org>; Thu, 20 May 2010 06:53:52 -0700
Received: by qyk15 with SMTP id 15so11611410qyk.6 for <oauth@ietf.org>; Thu, 20 May 2010 06:53:51 -0700 (PDT)
Received: by 10.224.140.131 with SMTP id i3mr61004qau.39.1274363631392; Thu, 20 May 2010 06:53:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.78.215 with HTTP; Thu, 20 May 2010 06:53:31 -0700 (PDT)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E112637B8285@WSMSG3153V.srv.dir.telstra.com>
References: <ADB082E11CEB5D49A3CC03E49DCECE02378CB8A679@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E72343B3B698808@P3PW5EX1MB01.EX1.SECURESERVER.NET> <7C01E631FF4B654FA1E783F1C0265F8C4A42BFCC@TK5EX14MBXC117.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B69895B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimiSqQjOsxDMxFGjIkP3xDQVHge6OJUPu9CYxHf@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B6989D0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <09A6EF98-7406-43D8-9B1C-C16E38CA35D1@gmail.com> <7C01E631FF4B654FA1E783F1C0265F8C4A4312FC@TK5EX14MBXC117.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343B3B699132@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinlwZpM4PBHSR1t1whWR2p38PHq9VpcJw4p77vs@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112637B8285@WSMSG3153V.srv.dir.telstra.com>
From: Evan Gilbert <uidude@google.com>
Date: Thu, 20 May 2010 06:53:31 -0700
Message-ID: <AANLkTikSRG5UWCRvFjtVyqJ-GoHigwW0CVFC1NMJGj3i@mail.gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="000e0cd56450905999048706e766"
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2010 13:54:10 -0000
On Wed, May 19, 2010 at 6:33 PM, Manger, James H < James.H.Manger@team.telstra.com> wrote: > Marius, > > > Only direct responses are JSON, form/url encoded > > still has to be used: > > - direct requests > > - through browser requests > > - through browser responses > > - through browser fragment responses > > A better solution would be to change the last two (token info delivered in > a callback URIs) so a single parameter (in the query or fragment) holds all > the token info -- as a base64url-encoded JSON value. > This is really problematic - All implementers will have to properly parse form fields *and* parse JSON (and Base64 decode to boot). - JavaScript clients are likely to have XSS holes. If clients don't execute something like this code (from gadgets.json<http://www.google.com/codesearch/p?hl=en#MSH8LMSqi38/trunk/features/core/json.js&q=io.js%20package:%22http://svn.apache.org/repos/asf/incubator/shindig/%22&d=2>), then they will be exposing themself to XSS. if (/^[\],:{}\s]*$/.test(text.replace(/\\["\\\/b-u]/g, '@'). replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']'). replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) { return eval('(' + text + ')'); } - Developers will not be able to read source directly I'm a fan of Base64 encoding JSON for the purposes of creating a canonicalized string for signing. But this is not a good default transport. > > That is more complicated if you are only delivering a single quantity (eg > just an access_token). However, the difference diminishes as more and more > features are added: expires_in, scope, sites, refresh_token, > access_token_secret, realm, auth_scheme, > whatever-comes-out-of-OpenID-Connect etc. > > A single parameter for token info in callback URIs also reduces the risk of > clashing with client-specific parameters in callback URIs as things are > added in the future (eg the earlier debate about no oauth_ prefix). > > It eliminates the need to force all semantics to fit in a flat key/value > model. This can only get harder as features are added, or extensions are > supported. The OpenID 2.0 approach of namespaces and parameter name prefixes > is not pretty. JSON does not solve this, but its structure helps. > > I wouldn't be surprised if, in some scenarios, the token info gets too big > to fit in a URI. In that case even the user-agent flow will need to make a > direct request to get the token info, which is more likely to be delivered > as JSON. OpenID and SAML have found they need this (eg artefact flows). > > > Please consider this as an open issue for today's meeting: a single > parameter holding a base64url-encode JSON value for packaging token info in > a callback URI. > > -- > James Manger > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… DeWitt Clinton
- [OAUTH-WG] Open Issues: Group Survey (respond by … Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… David Recordon
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Dick Hardt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… David Waite
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Mark Mcgloin
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Richer, Justin P.
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Dick Hardt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Mike Moore
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yutaka OIWA
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yutaka OIWA
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Vivek Khurana
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Greg Brail
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Kris Selden
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Evan Gilbert
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H