IETF Logo Mail Archive

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Joseph Smarr <jsmarr@gmail.com> Mon, 10 May 2010 22:38 UTC

Return-Path: <jsmarr@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D9AD28C210 for <oauth@core3.amsl.com>; Mon, 10 May 2010 15:38:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.718
X-Spam-Level:
X-Spam-Status: No, score=-0.718 tagged_above=-999 required=5 tests=[AWL=-0.720, BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jqdzg8y7R2g6 for <oauth@core3.amsl.com>; Mon, 10 May 2010 15:38:46 -0700 (PDT)
Received: from mail-pz0-f200.google.com (mail-pz0-f200.google.com [209.85.222.200]) by core3.amsl.com (Postfix) with ESMTP id AC8FF28C20F for <oauth@ietf.org>; Mon, 10 May 2010 15:38:46 -0700 (PDT)
Received: by pzk38 with SMTP id 38so2145723pzk.31 for <oauth@ietf.org>; Mon, 10 May 2010 15:38:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:reply-to :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; bh=be+4r5gOtMfMpNIlCJAsfDaaLwD/e0JjmjPG6mLbgyQ=; b=trZFLzzxqmNinmF/SZOJ8NnIcwuEmaeJS/oOsJSorIZ1MkYcrjmE33AoR5YZdMHqI5 4RugpYtj0F59E/cUMf4gv852vrU2Bk8dhrHAsbf0WU4R3WdJgcjkBnPh9yRMU8zjFer8 KOfH/MAdaOZo6mbiFMoaGIb6Utzf503aVK6nQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; b=KfIR4Hh6S/azCjya3orWsXYGozpf1UQ67k0J7kmQ4hZsfvrejRAEkBdTJk78XF04kX j9mDg/olhiIkT9qdYVSWzOFKNvgcqxX9rr5wzkLcGQQDRSj24L0uT04oSeJJWFlURFsj KnknUoHJr5mF1D48mMP++NDq/e1cuIXuO3e9U=
Received: by 10.142.9.10 with SMTP id 10mr3073324wfi.42.1273531113122; Mon, 10 May 2010 15:38:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.143.2.7 with HTTP; Mon, 10 May 2010 15:38:13 -0700 (PDT)
In-Reply-To: <AANLkTinGoYkCVO54eHCjPJmkYAC_IEmki_lJMCNPHseB@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <C2C2CB2C-F8A9-4713-A74F-558CC7278D1C@alkaline-solutions.com> <v2mc334d54e1005092357xa9a5fa2en78210a50221815df@mail.gmail.com> <4BE7BF9A.2050209@pidster.com> <1222443C-7C2C-49C4-B03A-4E760538B4BB@gmail.com> <4BE85186.1080401@pidster.com> <AANLkTinGoYkCVO54eHCjPJmkYAC_IEmki_lJMCNPHseB@mail.gmail.com>
From: Joseph Smarr <jsmarr@gmail.com>
Date: Mon, 10 May 2010 15:38:13 -0700
Message-ID: <AANLkTin-KnVFPWn6wKJC1kMt0COHa0MZVB7-CXX7TUc9@mail.gmail.com>
To: pid@pidster.com
Content-Type: multipart/alternative; boundary="00504502b4989bae220486451121"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: jsmarr@stanfordalumni.org
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 22:38:48 -0000

Oh, one other quick benefit of JSON (kind of an extension of point 1 below):

- no ambiguous treatment of whitespace or newlines (this is a problem I've
observed multiple times while helping developers debug OAuth 1.0
implementations--since they just split on & and =, they often don't trim
extra whitespace or newlines that were returned by the server, leading to
those spaces/newlines being part of the parsed attribute values, which then
cause broken signatures and are very hard to debug, since the chars are
invisible when printed). Not a problem with JSON.

On Mon, May 10, 2010 at 3:35 PM, Joseph Smarr <jsmarr@gmail.com> wrote:

> Let me try to offer some of those "logical, positive statements in favour
> of the technical merits of JSON over the original format choice" for those
> that aren't familiar or haven't gleaned them from the thread thus far:
>
> - unambiguous spec for encoding/decoding (including how to represent spaces
> and unicode chars, both of which are common points of ambiguity in
> url-encoding that lead to bugs, confusion, and lack of ability to use
> built-in libraries, if available). For example, the OAuth PHP library does
> the following: return str_replace('+', ' ', str_replace('%7E', '~',
> rawurlencode($input)) -- yuck!
>
> - easier to read the encoded format (because it has clear sentinel braces,
> quoted attributes, and no url-encoding of parameters; only some backslashing
> of reserved chars)
>
> - widely available libraries with good track records in the wild, and
> increasingly built in to many platforms
>
> - extensible support for more representing more complex data structures in
> the future, if needed
>
> - simple enough that it's easy to understand, but just complex enough that
> it's not too tempting to roll your own parser (which leads empirically to
> better compliance due to use of common libraries)
>
> - more likely to be recognized and understood by developers, since they've
> seen it elsewhere in API response formats
>
> I think that about covers it. Again, it's an objective fact that
> url-encoding has caused confusion and bugs in OAuth 1.0 implementations, and
> it's also an objective fact that JSON has had a very high "just works" rate
> in the wild, to the point that it's the default API response format for many
> widely used APIs from large providers targeting many platforms. So this is
> not a choice based on "fashion", but based on trying to learn from history
> to increase developer success and remove the opportunity for subtle bugs,
> which was one of the major problems with OAuth 1.0a that prompted us to work
> on OAuth 2.0 in the first place.
>
> Thanks, js
>
> On Mon, May 10, 2010 at 11:33 AM, Pid <pid@pidster.com> wrote:
>
>> On 10/05/2010 15:56, Dick Hardt wrote:
>> >
>> > On 2010-05-10, at 1:11 AM, Pid wrote:
>> >
>> >> On 10/05/2010 07:57, Joseph Smarr wrote:
>> >>>> 1. Server Response Format
>> >>>
>> >>> I vote for B, though I could live with C. (A would make me sad though)
>> >>>
>> >>> We've had a healthy and reasonable debate about the trade-offs here,
>> but
>> >>> I think the main counterargument for requiring JSON support is that
>> it's
>> >>> not quite yet a "no-brainer" to have JSON support in all environments
>> >>> (e.g. iPhone libraries currently would need to statically link in an
>> >>> available JSON library), whereas the counterarguments for A are the
>> >>> well-documented problems properly decoding url-encoded params from
>> OAuth
>> >>> 1.0, plus the fact that it's not a common response format, whereas
>> JSON
>> >>> (and XML) are. Since I think JSON will continue to increase in use for
>> >>> at least the next several years, the pain associated with requiring
>> JSON
>> >>> is likely to be  higher now than it will be in the future, and it's
>> >>> already low enough that we've had this debate about whether it's
>> already
>> >>> acceptable or not-quite-yet. And JSON has been proven to "just work"
>> in
>> >>> terms of avoiding encoding/decoding headaches in the wild, which for
>> >>> something like OAuth is really critical.
>> >>
>> >> I don't believe this is an accurate summary.
>> >
>> > Are you saying the information is not accurate or not a complete
>> summary?
>> >
>> >>
>> >> I asked for someone in the pro-JSON camp to describe the technical
>> >> merits of that format over url encoded, but to date, there's no one who
>> >> has responded.
>> >
>> > per http://www.ietf.org/mail-archive/web/oauth/current/msg01992.html
>>
>> Is that the right message?  There's not much in the way of positive
>> arguments for JSON in that one.
>>
>>
>> > client libraries exist to parse JSON responses
>>
>> Meaning a dependency.
>>
>>
>> > client libraries do NOT exist to parse url encoded responses
>>
>> There aren't libraries to perform that type of decoding because it's
>> trivial, (as you acknowledged).
>>
>>
>> > Implementations of both OAuth 1.0 and WRAP improperly decoded the
>> responses.
>> > Also with reference to: "many developers have been caught just
>> splitting the parameters and forgetting to URL decode the token"
>>
>> With respect, I think this is pretty close to a straw man.  It would be
>> just as easy to argue that developers will make a mess of parsing JSON.
>>
>>
>>
>> Everyone seems to have, (in some cases grudgingly), agreed that it's
>> easier to decode/parse urlencoded data than JSON.
>>
>> There are definitely occasions when using JSON for data description &
>> transmission is advantageous, I just don't think this is one of them.
>> It's a proverbial sledgehammer for a tiny OAuth nut.
>>
>>
>> There should be something positive to say about JSON that establishes
>> why it is a better format for this purpose.
>>
>>
>> >> The options we've been offered seem contrived to support JSON,
>> >
>> > would you elaborate on why you think the options presented by the editor
>> were contrived?
>>
>> Sure.  Two of them offer JSON as the default, including the putative
>> 'compromise' option.
>>
>> JSON and XML add complexity, as the editor states.  IMHO it's odd
>> therefore not to select the least complex as the default, if multiple
>> formats are offered.
>>
>>
>>
>> I appreciate that JSON is popular and there is a degree of devil's
>> advocacy to my position here, (as I've already said), but if it's not
>> possible to make a list of logical, positive statements in favour of the
>> technical merits of JSON over the original format choice then it
>> shouldn't be selected as the default.
>>
>>
>> p
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>

v2.23.0 | Report a Bug | By Email