Re: [OAUTH-WG] What to do about 'realm'
Yaron Goland <yarong@microsoft.com> Tue, 13 July 2010 16:46 UTC
Return-Path: <yarong@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E4B5F3A6B2D for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 09:46:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.339
X-Spam-Level:
X-Spam-Status: No, score=-11.339 tagged_above=-999 required=5 tests=[AWL=1.260, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-SffDV7qck6 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 09:46:35 -0700 (PDT)
Received: from smtp.microsoft.com (mailb.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id B811A3A6B2B for <oauth@ietf.org>; Tue, 13 Jul 2010 09:46:35 -0700 (PDT)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Tue, 13 Jul 2010 09:46:44 -0700
Received: from TK5EX14MBXC113.redmond.corp.microsoft.com ([169.254.6.44]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.01.0180.004; Tue, 13 Jul 2010 09:46:44 -0700
From: Yaron Goland <yarong@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, Robert Sayre <sayrer@gmail.com>
Thread-Topic: [OAUTH-WG] What to do about 'realm'
Thread-Index: AcsWZA3VaAGfBKT6Rq+fJ1qCaXCqogKnLTUAABpFMgAABm2JgAAKYjcAAD86ilA=
Date: Tue, 13 Jul 2010 16:46:40 +0000
Message-ID: <7C01E631FF4B654FA1E783F1C0265F8C5F991033@TK5EX14MBXC113.redmond.corp.microsoft.com>
References: <AANLkTil8wp2A6JN_td7hwSAttPH6dG_U6PPakb6-vlsb@mail.gmail.com> <C85FDA20.3701A%eran@hueniverse.com>
In-Reply-To: <C85FDA20.3701A%eran@hueniverse.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.123.12]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] What to do about 'realm'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 16:46:37 -0000
As defined in section 4.2 of RFC 2616 the only characters legally allowed in a HTTP header are a fairly small subset of ASCII. So if we want to shove in Unicode characters they will have to be encoded in a form that only uses characters that are legal in the subset of ASCII supported by HTTP. > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Sunday, July 11, 2010 8:29 PM > To: Robert Sayre > Cc: OAuth WG > Subject: Re: [OAUTH-WG] What to do about 'realm' > > > > > On 7/11/10 3:32 PM, "Robert Sayre" <sayrer@gmail.com> wrote: > > > On Sun, Jul 11, 2010 at 12:27 PM, Eran Hammer-Lahav > > <eran@hueniverse.com> > > wrote: > >> [this has noting to do with realm] > >> > >> Any solution should be: > >> > >> - Extensible we removed the few discovery parameters from the core > >> spec due to lack of maturity and consensus. However, we clearly have > >> enough strong interest in reintroducing them as extensions. The > >> WWW-Authenticate header is the natural place to include them. > > > > This is true. I thought it obvious that implementations would be > > required to deal with text after the "OAuth2" string. > > Yes. We need a format that can be extended. Of course, using JSON means > much richer extensibility which needs some adjustment in the registry > (maybe only require registration for top level object names?). > > >> - Human-friendly I think being able to look at the header and > >> immediately see what it means is useful. > > > > I'm not sure this is valuable, but it is possible to accomodate the > > concern anyway. I use a protocol analyzer, like WireShark. > > I think being able to curl a site and work your way manually is useful and > something that was a stated goal when we started collecting 2.0 > requirements. This was one of the reasons why the bearer token approach > was so attractive to so many people. > > >> Is there a JSON profile suitable for inclusion in HTTP headers? I > >> would like to avoid BASE64 when a person is likely to take a look at > >> the header. Otherwise debugging and command line interaction become > >> impractical. > > > > The WG could specify that all control characters and non-ASCII text > > within the JSON text be escaped. base64 adds overhead to the endeavor, > > so it's probably best to avoid it, because most of the bits will be > > ASCII anyway. > > Works for me. > > > If browser clients need to set headers in the same manner, this could > > be more inconvenient, because the JSON serializers shipping in > > browsers today don't support requiring that the produced text be > > escaped. This can be done as a follow-up pass, though. [0] > > I am not worried about client requests because there is less to debug on that > side (most issues are when the client is trying to debug on its side and can > easily add helpful information locally). I want to make sure that the server > response using the WWW-Authenticate header is plain-text and not some > encoded blob. > > However, we still need to worry about HTTP header restrictions and I am not > sure what a browser will do when you try to set an HTTP header with non- > ascii characters. > > > Using a JSON serialization neatly sidesteps several i18n issues. If > > you go with traditional HTTP header syntax, you'll need to deal with > > that some other way. btw, it just so happens that internationalization > > of Realm values is a bug in most RFC2617 implemenations. > > It would be great to avoid having to use stuff like draft-reschke-rfc2231-in- > http, but that seems to be the current solution. > > EHL > > > > > [0] (I happen to be on the ECMAScript committee, and I can be blamed > > for Mozilla's native JSON object. It would be technically easy to add > > a JSON.stringifyAsASCII() method, and I think the committee will go > > for it.) > > > > > > > > -- > > > > Robert Sayre > > > > "I would have written a shorter letter, but I did not have the time." > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] What to do about 'realm' Eran Hammer-Lahav
- Re: [OAUTH-WG] What to do about 'realm' Dick Hardt
- [OAUTH-WG] What to do about 'realm' Eran Hammer-Lahav
- Re: [OAUTH-WG] What to do about 'realm' Lukas Rosenstock
- Re: [OAUTH-WG] What to do about 'realm' Pid
- Re: [OAUTH-WG] What to do about 'realm' William Mills
- Re: [OAUTH-WG] What to do about 'realm' Torsten Lodderstedt
- Re: [OAUTH-WG] What to do about 'realm' Yaron Goland
- Re: [OAUTH-WG] What to do about 'realm' Brian Eaton
- Re: [OAUTH-WG] What to do about 'realm' Robert Sayre
- Re: [OAUTH-WG] What to do about 'realm' Eran Hammer-Lahav
- Re: [OAUTH-WG] What to do about 'realm' Manger, James H
- Re: [OAUTH-WG] What to do about 'realm' Eve Maler
- Re: [OAUTH-WG] What to do about 'realm' Robert Sayre
- Re: [OAUTH-WG] What to do about 'realm' Eran Hammer-Lahav
- Re: [OAUTH-WG] What to do about 'realm' William Mills
- Re: [OAUTH-WG] What to do about 'realm' Yaron Goland
- Re: [OAUTH-WG] What to do about 'realm' Robert Sayre
- Re: [OAUTH-WG] What to do about 'realm' Yaron Goland
- Re: [OAUTH-WG] What to do about 'realm' Brian Eaton
- Re: [OAUTH-WG] What to do about 'realm' Eran Hammer-Lahav