Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
Joseph Smarr <jsmarr@gmail.com> Mon, 10 May 2010 22:38 UTC
Return-Path: <jsmarr@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D9AD28C210 for <oauth@core3.amsl.com>; Mon, 10 May 2010 15:38:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.718
X-Spam-Level:
X-Spam-Status: No, score=-0.718 tagged_above=-999 required=5 tests=[AWL=-0.720, BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jqdzg8y7R2g6 for <oauth@core3.amsl.com>; Mon, 10 May 2010 15:38:46 -0700 (PDT)
Received: from mail-pz0-f200.google.com (mail-pz0-f200.google.com [209.85.222.200]) by core3.amsl.com (Postfix) with ESMTP id AC8FF28C20F for <oauth@ietf.org>; Mon, 10 May 2010 15:38:46 -0700 (PDT)
Received: by pzk38 with SMTP id 38so2145723pzk.31 for <oauth@ietf.org>; Mon, 10 May 2010 15:38:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:reply-to :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; bh=be+4r5gOtMfMpNIlCJAsfDaaLwD/e0JjmjPG6mLbgyQ=; b=trZFLzzxqmNinmF/SZOJ8NnIcwuEmaeJS/oOsJSorIZ1MkYcrjmE33AoR5YZdMHqI5 4RugpYtj0F59E/cUMf4gv852vrU2Bk8dhrHAsbf0WU4R3WdJgcjkBnPh9yRMU8zjFer8 KOfH/MAdaOZo6mbiFMoaGIb6Utzf503aVK6nQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; b=KfIR4Hh6S/azCjya3orWsXYGozpf1UQ67k0J7kmQ4hZsfvrejRAEkBdTJk78XF04kX j9mDg/olhiIkT9qdYVSWzOFKNvgcqxX9rr5wzkLcGQQDRSj24L0uT04oSeJJWFlURFsj KnknUoHJr5mF1D48mMP++NDq/e1cuIXuO3e9U=
Received: by 10.142.9.10 with SMTP id 10mr3073324wfi.42.1273531113122; Mon, 10 May 2010 15:38:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.143.2.7 with HTTP; Mon, 10 May 2010 15:38:13 -0700 (PDT)
In-Reply-To: <AANLkTinGoYkCVO54eHCjPJmkYAC_IEmki_lJMCNPHseB@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <C2C2CB2C-F8A9-4713-A74F-558CC7278D1C@alkaline-solutions.com> <v2mc334d54e1005092357xa9a5fa2en78210a50221815df@mail.gmail.com> <4BE7BF9A.2050209@pidster.com> <1222443C-7C2C-49C4-B03A-4E760538B4BB@gmail.com> <4BE85186.1080401@pidster.com> <AANLkTinGoYkCVO54eHCjPJmkYAC_IEmki_lJMCNPHseB@mail.gmail.com>
From: Joseph Smarr <jsmarr@gmail.com>
Date: Mon, 10 May 2010 15:38:13 -0700
Message-ID: <AANLkTin-KnVFPWn6wKJC1kMt0COHa0MZVB7-CXX7TUc9@mail.gmail.com>
To: pid@pidster.com
Content-Type: multipart/alternative; boundary="00504502b4989bae220486451121"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: jsmarr@stanfordalumni.org
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 22:38:48 -0000
Oh, one other quick benefit of JSON (kind of an extension of point 1 below): - no ambiguous treatment of whitespace or newlines (this is a problem I've observed multiple times while helping developers debug OAuth 1.0 implementations--since they just split on & and =, they often don't trim extra whitespace or newlines that were returned by the server, leading to those spaces/newlines being part of the parsed attribute values, which then cause broken signatures and are very hard to debug, since the chars are invisible when printed). Not a problem with JSON. On Mon, May 10, 2010 at 3:35 PM, Joseph Smarr <jsmarr@gmail.com> wrote: > Let me try to offer some of those "logical, positive statements in favour > of the technical merits of JSON over the original format choice" for those > that aren't familiar or haven't gleaned them from the thread thus far: > > - unambiguous spec for encoding/decoding (including how to represent spaces > and unicode chars, both of which are common points of ambiguity in > url-encoding that lead to bugs, confusion, and lack of ability to use > built-in libraries, if available). For example, the OAuth PHP library does > the following: return str_replace('+', ' ', str_replace('%7E', '~', > rawurlencode($input)) -- yuck! > > - easier to read the encoded format (because it has clear sentinel braces, > quoted attributes, and no url-encoding of parameters; only some backslashing > of reserved chars) > > - widely available libraries with good track records in the wild, and > increasingly built in to many platforms > > - extensible support for more representing more complex data structures in > the future, if needed > > - simple enough that it's easy to understand, but just complex enough that > it's not too tempting to roll your own parser (which leads empirically to > better compliance due to use of common libraries) > > - more likely to be recognized and understood by developers, since they've > seen it elsewhere in API response formats > > I think that about covers it. Again, it's an objective fact that > url-encoding has caused confusion and bugs in OAuth 1.0 implementations, and > it's also an objective fact that JSON has had a very high "just works" rate > in the wild, to the point that it's the default API response format for many > widely used APIs from large providers targeting many platforms. So this is > not a choice based on "fashion", but based on trying to learn from history > to increase developer success and remove the opportunity for subtle bugs, > which was one of the major problems with OAuth 1.0a that prompted us to work > on OAuth 2.0 in the first place. > > Thanks, js > > On Mon, May 10, 2010 at 11:33 AM, Pid <pid@pidster.com> wrote: > >> On 10/05/2010 15:56, Dick Hardt wrote: >> > >> > On 2010-05-10, at 1:11 AM, Pid wrote: >> > >> >> On 10/05/2010 07:57, Joseph Smarr wrote: >> >>>> 1. Server Response Format >> >>> >> >>> I vote for B, though I could live with C. (A would make me sad though) >> >>> >> >>> We've had a healthy and reasonable debate about the trade-offs here, >> but >> >>> I think the main counterargument for requiring JSON support is that >> it's >> >>> not quite yet a "no-brainer" to have JSON support in all environments >> >>> (e.g. iPhone libraries currently would need to statically link in an >> >>> available JSON library), whereas the counterarguments for A are the >> >>> well-documented problems properly decoding url-encoded params from >> OAuth >> >>> 1.0, plus the fact that it's not a common response format, whereas >> JSON >> >>> (and XML) are. Since I think JSON will continue to increase in use for >> >>> at least the next several years, the pain associated with requiring >> JSON >> >>> is likely to be higher now than it will be in the future, and it's >> >>> already low enough that we've had this debate about whether it's >> already >> >>> acceptable or not-quite-yet. And JSON has been proven to "just work" >> in >> >>> terms of avoiding encoding/decoding headaches in the wild, which for >> >>> something like OAuth is really critical. >> >> >> >> I don't believe this is an accurate summary. >> > >> > Are you saying the information is not accurate or not a complete >> summary? >> > >> >> >> >> I asked for someone in the pro-JSON camp to describe the technical >> >> merits of that format over url encoded, but to date, there's no one who >> >> has responded. >> > >> > per http://www.ietf.org/mail-archive/web/oauth/current/msg01992.html >> >> Is that the right message? There's not much in the way of positive >> arguments for JSON in that one. >> >> >> > client libraries exist to parse JSON responses >> >> Meaning a dependency. >> >> >> > client libraries do NOT exist to parse url encoded responses >> >> There aren't libraries to perform that type of decoding because it's >> trivial, (as you acknowledged). >> >> >> > Implementations of both OAuth 1.0 and WRAP improperly decoded the >> responses. >> > Also with reference to: "many developers have been caught just >> splitting the parameters and forgetting to URL decode the token" >> >> With respect, I think this is pretty close to a straw man. It would be >> just as easy to argue that developers will make a mess of parsing JSON. >> >> >> >> Everyone seems to have, (in some cases grudgingly), agreed that it's >> easier to decode/parse urlencoded data than JSON. >> >> There are definitely occasions when using JSON for data description & >> transmission is advantageous, I just don't think this is one of them. >> It's a proverbial sledgehammer for a tiny OAuth nut. >> >> >> There should be something positive to say about JSON that establishes >> why it is a better format for this purpose. >> >> >> >> The options we've been offered seem contrived to support JSON, >> > >> > would you elaborate on why you think the options presented by the editor >> were contrived? >> >> Sure. Two of them offer JSON as the default, including the putative >> 'compromise' option. >> >> JSON and XML add complexity, as the editor states. IMHO it's odd >> therefore not to select the least complex as the default, if multiple >> formats are offered. >> >> >> >> I appreciate that JSON is popular and there is a degree of devil's >> advocacy to my position here, (as I've already said), but if it's not >> possible to make a list of logical, positive statements in favour of the >> technical merits of JSON over the original format choice then it >> shouldn't be selected as the default. >> >> >> p >> >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… DeWitt Clinton
- [OAUTH-WG] Open Issues: Group Survey (respond by … Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… David Recordon
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Dick Hardt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… David Waite
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Mark Mcgloin
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Richer, Justin P.
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Dick Hardt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Mike Moore
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Joseph Smarr
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Pid
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yutaka OIWA
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yutaka OIWA
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Vivek Khurana
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Robert Sayre
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Greg Brail
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Torsten Lodderstedt
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Kris Selden
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Yaron Goland
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Eran Hammer-Lahav
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Evan Gilbert
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Marius Scurtescu
- Re: [OAUTH-WG] Open Issues: Group Survey (respond… Manger, James H