IETF Logo Mail Archive

Re: [OAUTH-WG] Issue: Authorization endpoint parameter extension policy

John Kemp <john@jkemp.net> Thu, 15 April 2010 20:49 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB8983A694A for <oauth@core3.amsl.com>; Thu, 15 Apr 2010 13:49:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.754
X-Spam-Level:
X-Spam-Status: No, score=-1.754 tagged_above=-999 required=5 tests=[AWL=0.511, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1kgQfROVHzhc for <oauth@core3.amsl.com>; Thu, 15 Apr 2010 13:49:01 -0700 (PDT)
Received: from outbound-mail-313.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id AB5863A69F3 for <oauth@ietf.org>; Thu, 15 Apr 2010 13:48:59 -0700 (PDT)
Received: (qmail 15838 invoked by uid 0); 15 Apr 2010 20:48:52 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy3.bluehost.com with SMTP; 15 Apr 2010 20:48:51 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-Identified-User; b=RdI6gICV0QzmYGxs4N+mO68qnYwNsXfulgYDOxOzhFXdnkyxRvikYAGkDIpuYYzEI9pFUTrg0HSfGzrV69Htw5GGubFzMBcRL0Rq81AKLYIi8Eu/lRJjeHCQZNeq/xcc;
Received: from cpe-69-205-56-47.nycap.res.rr.com ([69.205.56.47] helo=[192.168.1.107]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <john@jkemp.net>) id 1O2VzY-0005F2-8j; Thu, 15 Apr 2010 14:48:52 -0600
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <t2h74caaad21004151215w3ab17b51n226de7279bb57274@mail.gmail.com>
Date: Thu, 15 Apr 2010 16:48:50 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <A61CD3D5-6B07-4005-855E-13F0165BC317@jkemp.net>
References: <C7ECA88E.32337%eran@hueniverse.com> <36B0D223-725E-4782-BBAE-F1A930C15843@jkemp.net> <t2h74caaad21004151215w3ab17b51n226de7279bb57274@mail.gmail.com>
To: Marius Scurtescu <mscurtescu@google.com>
X-Mailer: Apple Mail (2.1078)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 69.205.56.47 authed with john+jkemp.net}
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue: Authorization endpoint parameter extension policy
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2010 20:49:02 -0000

On Apr 15, 2010, at 3:15 PM, Marius Scurtescu wrote:

> I really think we should keep a standard parameter prefix like
> "oauth_". What are the issue with having a prefix?

I think the downside is the extra bytes on the wire.

The upside is that this might prevent accidental collision with OAuth parameters by people who haven't read the spec. or looked at the registry. 

I don't think it solves all collision problems, which is probably why people don't see it as a high-value thing to do.

> 
> Not having such a prefix will lead to collisions with query parameter
> on the authz server endpoints or on the callback URL. Even if state is
> not passed with additional parameters on callbacks. This also leads to
> adding further limitations on these URLs, by not allowing query
> parameters.

Having a prefix doesn't solve ALL collision possibilities. There is some limited utility in preventing accidental collision by people outside of the OAuth community. The question is whether that is worth the extra bytes. Or are there some other good arguments for or against?

I can see both points of view. Is a possible compromise to make a shorter prefix than 'oauth_' (how about 'oa_' - 3 bytes instead of 6)?

- johnk

> 
> Marius
> 
> 
> 
> On Thu, Apr 15, 2010 at 12:08 PM, John Kemp <john@jkemp.net> wrote:
>> Hello,
>> 
>> On Apr 15, 2010, at 2:27 PM, Eran Hammer-Lahav wrote:
>> 
>>> OAuth 2.0 flows use a single authorization endpoint (with 'type' parameter).
>>> This endpoint is OAuth-specific but must allow for extension parameters
>>> (standard or vendor-specific).
>>> 
>>> The issue is how to best allow for extensions defining new parameters. The
>>> danger is common parameter names ('scope', 'language', 'permission') being
>>> used differently by different vendors, creating interop issues with
>>> libraries.
>> 
>> If the OAuth specification defines the name for a parameter, and people claim to implement the specification, they must use those parameter names according to the specified usage. In other words, implementations of OAuth should all do the same thing, and use the same names for the OAuth-specific parameters. But, deployments of OAuth will use OAuth implementations and possibly have additional requirements (such as passing other query string parameters which may collide with the OAuth ones). And particular OAuth vendors may add other extension parameters (agreed between particular implementations but not perhaps within the entire community) to the query string. All of that might be covered by "conformance to the specification" - conformant implementations MUST not define parameters with names that clash with the agreed OAuth names.
>> 
>>> 
>>> Prefix alone (for the core or extensions) does not solve the problem since
>>> extensions still suffer from potential namespace collision.
>> 
>> Right. You cannot solve this problem. The danger is for those who don't read the spec. (because they don't have to - they are buying a product, or using a library).
>> 
>>> 'oauth_' prefix
>>> makes all the parameter names longer, but doesn't add real value - defining
>>> new parameters, with or without the 'oauth_' prefix is still the same
>>> problem.
>>> 
>>> The typical solution is to define an extension policy, using a registry or
>>> domain-namespace for new names.
>>> 
>>> Proposal:
>>> 
>>> Plain parameter names (names without '.' character) require registration
>>> (IANA registry with a published specification). This will encourage people
>>> to share their parameters and improve interop beyond the core protocol
>>> parameters.
>> 
>> It will - how?
>> 
>>> 
>>> Vendor specific names will require a prefix using either registered vendor
>>> names (e.g. 'google', 'fb', 'yahoo').
>> 
>> How will you *require* this - will there be a statement to that effect in the specification - "conformant implementations MUST NOT define query parameters that clash withe names int he OAuth registry "? What will you do about deployments which include an OAuth library and do not know anything at all about the OAuth requirements?
>> 
>>> Alternatively, use the same extension
>>> policy as OpenID where extensions use any prefix and include a prefix URI
>>> identifier (e.g.
>>> http://example.com?etx.language=en&ns:ext=http://example.com/spec1).
>>> 
>> 
>> What do you consider an "extension" for this purpose (some parameter agreed on by two or more conforming OAuth implementations)?
>> 
>> - johnk
>> 
>>> EHL
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>

v2.23.0 | Report a Bug | By Email