IETF Logo Mail Archive

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Greg Brail <gbrail@sonoasystems.com> Fri, 14 May 2010 01:57 UTC

Return-Path: <gbrail@sonoasystems.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 46A4E3A67B3 for <oauth@core3.amsl.com>; Thu, 13 May 2010 18:57:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.159
X-Spam-Level:
X-Spam-Status: No, score=0.159 tagged_above=-999 required=5 tests=[AWL=-0.464, BAYES_50=0.001, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTpbnKoDcuvf for <oauth@core3.amsl.com>; Thu, 13 May 2010 18:56:59 -0700 (PDT)
Received: from mail-qy0-f190.google.com (mail-qy0-f190.google.com [209.85.221.190]) by core3.amsl.com (Postfix) with ESMTP id 2AF783A67AD for <oauth@ietf.org>; Thu, 13 May 2010 18:56:59 -0700 (PDT)
Received: by qyk28 with SMTP id 28so2212755qyk.27 for <oauth@ietf.org>; Thu, 13 May 2010 18:56:44 -0700 (PDT)
Received: by 10.224.105.80 with SMTP id s16mr134922qao.337.1273802204668; Thu, 13 May 2010 18:56:44 -0700 (PDT)
From: Greg Brail <gbrail@sonoasystems.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acrvu4cfH3LKPgwRQV+7sW5YxUA1vADTDuPw
Date: Thu, 13 May 2010 21:56:42 -0400
Message-ID: <2e28a7cd36dc27dbf7ebe6d0d99fa516@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 May 2010 01:57:00 -0000

I'm sorry that I'm late on this but for what it's worth:

Server Response Format: I prefer A (form-encoded only). It's the simplest
solution that requires the least amount of client-side technology. JSON is
too complex a spec for simply encoding a set of flat key-value parameters
when where is already a well-established way to do this today in the HTTP
spec. My second preference is B (JSON only).

Client authentication: OAuth 1.0a was fine with authentication explicitly
expressed in the headers and I think 2.0 should stay the same.

More importantly, however -- I think that the spec should try to keep
things simple rather than offer multiple choice on many different aspects
of the implementation. The world is full of complicated specs and it's
always easier to keep adding options than to choose one of several
alternatives. Better to pick one that works well enough for everyone
rather than to keep adding choices to satisfy special cases that may or
may not be important in the future.

So in either of those cases, if Eran or whoemever is so empowered were to
choose, for example, "JSON only" and "HTTP basic only," then I would
support both choices over a set of options even though in both cases
neither is my first choice.

				greg

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of
Eran Hammer-Lahav
Sent: Sunday, May 09, 2010 5:07 PM
To: OAuth WG (oauth@ietf.org)
Subject: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

DEADLINE: 5/13

I would like to publish one more draft before our interim meeting in two
weeks (5/20). Below are two open issues we have on the list. Please reply
with your preference (or additional solutions) to each item. Issues with
consensus will be incorporated into the next draft. Those without will be
discussed at the meeting.

EHL

---

1. Server Response Format

After extensive debate, we have a large group in favor of using JSON as
the only response format (current draft). We also have a smaller group but
with stronger feelings on the subject that JSON adds complexity with no
obvious value.

A. Form-encoded only (original draft)
B. JSON only (current draft)
C. JSON as default with form-encoded and XML available with an optional
request parameter

---

2. Client Authentication (in flows)

How should the client authenticate when making token requests? The current
draft defines special request parameters for sending client credentials.
Some have argued that this is not the correct way, and that the client
should be using existing HTTP authentication schemes to accomplish that
such as Basic.

A. Client authenticates by sending its credentials using special
parameters (current draft)
B. Client authenticated by using HTTP Basic (or other schemes supported by
the server such as Digest)


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email