IETF Logo Mail Archive

Re: [webfinger] feedback for multiple "rel"

Mike Jones <Michael.Jones@microsoft.com> Mon, 24 December 2012 00:58 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: webfinger@ietfa.amsl.com
Delivered-To: webfinger@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9406821F8432 for <webfinger@ietfa.amsl.com>; Sun, 23 Dec 2012 16:58:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[AWL=-1.036, BAYES_00=-2.599, HTML_MESSAGE=0.001, HTTP_ESCAPED_HOST=0.134, J_CHICKENPOX_33=0.6, J_CHICKENPOX_36=0.6, J_CHICKENPOX_44=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Tt4jcYSqq0d for <webfinger@ietfa.amsl.com>; Sun, 23 Dec 2012 16:58:42 -0800 (PST)
Received: from NA01-BY2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.26]) by ietfa.amsl.com (Postfix) with ESMTP id 5692221F84A1 for <webfinger@ietf.org>; Sun, 23 Dec 2012 16:58:42 -0800 (PST)
Received: from BL2FFO11FD013.protection.gbl (10.173.161.201) by BL2FFO11HUB006.protection.gbl (10.173.160.226) with Microsoft SMTP Server (TLS) id 15.0.586.12; Mon, 24 Dec 2012 00:58:38 +0000
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD013.mail.protection.outlook.com (10.173.160.221) with Microsoft SMTP Server (TLS) id 15.0.586.12 via Frontend Transport; Mon, 24 Dec 2012 00:58:38 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.59]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.02.0318.003; Mon, 24 Dec 2012 00:58:37 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: nov matake <matake@gmail.com>, "Paul E.Jones" <paulej@packetizer.com>
Thread-Topic: [webfinger] feedback for multiple "rel"
Thread-Index: AQHN3/+eSie8sTWSRUKfpZnUR5r31Zgk9oGAgAAHtICAAILKAIAADi0AgAALAgCAAAKdgIAACYuAgAAiF4CAAAKvAIAAApoAgAFTkDA=
Date: Mon, 24 Dec 2012 00:58:36 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436699FA11@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <58036BAD-2161-4420-A724-343883F627B7@gmail.com> <CAKaEYhKGP0aMxsStNxTfYy3D=TbrnwtCVNz3yF3Su0TVkBXrOQ@mail.gmail.com> <7E9916BF-8D64-4F61-A40F-3A74533AEFD2@gmail.com> <001101cde0a0$7fda6220$7f8f2660$@packetizer.com> <CABP7RbcswbV=38LVZJobn5m6jJFW5N_a1O+8BkXu-S5+ixyKNA@mail.gmail.com> <004d01cde0ad$175b5d00$46121700$@packetizer.com> <57CE8BD9-286D-460E-92D8-E4E64C3377D0@gmail.com> <006601cde0b3$2bb9ff30$832dfd90$@packetizer.com> <9D326871-8C8D-41A7-A6E0-A4E45FA75E09@gmail.com> <00a501cde0c5$8fb5d510$af217f30$@packetizer.com> <A04A363D-623E-47D5-8322-2F0899E76656@gmail.com>
In-Reply-To: <A04A363D-623E-47D5-8322-2F0899E76656@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436699FA11TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(24454001)(69234002)(377454001)(479174001)(47446002)(59766001)(33656001)(74662001)(51856001)(56816002)(49866001)(4396001)(15202345001)(74502001)(31966008)(46102001)(54316002)(56776001)(16236675001)(512954001)(5343635001)(5343655001)(50986001)(44976002)(16406001)(15395725002)(16601075001)(47976001)(77982001)(76482001)(550184003)(53806001)(54356001)(47736001)(55846006); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB006; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0705EB1700
Cc: "webfinger@ietf.org" <webfinger@ietf.org>, 'James M Snell' <jasnell@gmail.com>, 'Melvin Carvalho' <melvincarvalho@gmail.com>, 'Dick Hardt' <dick.hardt@gmail.com>
Subject: Re: [webfinger] feedback for multiple "rel"
X-BeenThere: webfinger@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of the Webfinger protocol proposal in the Applications Area <webfinger.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webfinger>, <mailto:webfinger-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/webfinger>
List-Post: <mailto:webfinger@ietf.org>
List-Help: <mailto:webfinger-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webfinger>, <mailto:webfinger-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Dec 2012 00:58:47 -0000

A few thoughts after reading this thread.  First, while space-separating values worked for OAuth scopes (because scope values were a new thing and we could just prohibit them from containing spaces) it wouldn't work as well for "rel" values, since URIs are not a new thing and we can't prohibit them from containing spaces (when represented as %20).  So I believe that the change to use multiple "rel" parameter instead was a good one, and one well supported by the reasoning in the earlier thread on this topic.

To Nov's particular issue, a few thoughts come to mind.  First "rel" is an optimization.  It's legal for a server to ignore all "rel" values and just return everything.  That would be a very simple, if inelegant, solution to the Rails issue you're facing, Nov.

Second, if the work you're doing is scoped to just supporting OpenID Connect discovery, you will never have to support multiple "rel" values.  You'll only be receiving requests without "rel" or with a single "rel" parameter of the form rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer.  If you're never going to receive multiple "rel" parameters, you can ignore the Rails issue.  Again - inelegant, but practically workable.

                                                            Cheers,
                                                            -- Mike

From: webfinger-bounces@ietf.org [mailto:webfinger-bounces@ietf.org] On Behalf Of nov matake
Sent: Saturday, December 22, 2012 8:35 PM
To: Paul E.Jones
Cc: webfinger@ietf.org; 'James M Snell'; 'Melvin Carvalho'; 'Dick Hardt'
Subject: Re: [webfinger] feedback for multiple "rel"

Developers who uses my library in their rails project would use that function.
I can't stop them.

Of course, I can ask developers to give raw request object (which includes raw requested url, cookies etc) to my library.
But developers will feel weird to give raw request object only for multiple rel case, I think.

====
# put raw request object
WebFinger.discover @request

# put resource & rel only (I prefer this one)
WebFinger.discover params[:resource], params[:rel]
====

On 2012/12/23, at 13:25, Paul E. Jones <paulej@packetizer.com<mailto:paulej@packetizer.com>> wrote:


Nov,

Do you absolutely need to use that particular function?  It appears that it returns an associative array where the values are not array (unlike the "cgi" code).  So, if using it is required, this will certainly present a challenge.

I would assume WF is not the first thing to use multiple parameters with the same name.  This has not been encountered before?

Paul

From: nov matake [mailto:matake@gmail.com<http://gmail.com>]
Sent: Saturday, December 22, 2012 11:16 PM
To: Paul E. Jones
Cc: 'Dick Hardt'; 'James M Snell'; webfinger@ietf.org<mailto:webfinger@ietf.org>; 'Melvin Carvalho'
Subject: Re: [webfinger] feedback for multiple "rel"

CGI library handle it well.
It returns query values as array even when it's a single value though.

So the issue is Rails (actually it uses Rack::Utils.parse_nested_query) only.
It takes only the last "rel" value.

> require 'rack'
> Rack::Utils.parse_nested_query "rel=a&rel=b"
=> {"rel"=>"b"}


On 2012/12/23, at 11:13, "Paul E. Jones" <paulej@packetizer.com<mailto:paulej@packetizer.com>> wrote:



Dick, Nov,

I've never written a Ruby program before, but I was quite curious as to whether it was or was not possible to access multiple "rel" parameters.  It appears that is.  Here's my first Ruby program (and my apologies to the developers of Ruby):

#!/bin/ruby

require 'cgi'

cgi = CGI.new

params = cgi.params

# Following appears to show an associative array with values that are arrays
puts params;

# Grab the 'rel' array
rels = params['rel'];

# Display the array
puts rels;

# How many items are in the "rel" array?
count = rels.size
print "Number of rel params: ", count, "\n";

# Can I access each one?
for i in 0..(count-1)
   print "Item ", i, ": ", rels[i], "\n"
end

Here's what I get:

$ ./test "rel=rel1&c=d&rel=rel2&e=f"
{"rel"=>["rel1", "rel2"], "c"=>["d"], "e"=>["f"]}
rel1
rel2
Number of rel params: 2
Item 0: rel1
Item 1: rel2

So, it looks like it works to me.  Is the issue only with Rails?  I'm not going to venture down that path to see what the issue is, but if Ruby can access the data, can't it provide it to Rails in a form that it likes?

Paul

From: Dick Hardt [mailto:dick.hardt@gmail.com<http://gmail.com>]
Sent: Saturday, December 22, 2012 8:40 PM
To: Paul E. Jones
Cc: 'James M Snell'; webfinger@ietf.org<mailto:webfinger@ietf.org>; 'nov matake'; 'Melvin Carvalho'
Subject: Re: [webfinger] feedback for multiple "rel"

FYI: multiple query string params with the same name are turned into arrays or parsed into arrays in node.js

the following script:

var querystring = require('querystring')
console.log( querystring.parse( 'foo=bar&rel=token1&rel=token2' ) )
console.log( querystring.stringify( {'foo':'bar','rel':['token1','token2']} ) )

outputs:

{ foo: 'bar', rel: [ 'token1', 'token2' ] }
foo=bar&rel=token1&rel=token2

Perhaps Ruby devs should just move to the next cool language? :-)
Seriously though, what does the query string parser do in Ruby?

-- Dick

On Dec 22, 2012, at 5:30 PM, "Paul E. Jones" <paulej@packetizer.com<mailto:paulej@packetizer.com>> wrote:




That depends on where they're used.  If I tell you the "rel" value is "http://example.com/first one", I don't escape that as I write it.  Or are you saying there is text somewhere that already makes that, as written, illegal?

I'm quite favorable to a space-separated list of rel values in a single rel parameter, too.  I was concerned before that spaces would present an issue, but figured we could either we make spaces illegal in rel values (which we can do since those are fabricated things!) or we double-escape.  My preference is a single escape and a single rel parameter and spaces are illegal in the "rel" values themselves.

But, the forces that be pushed pretty hard to change from &rel=token1%20token to &rel=token1&rel=token2.  At the end of the day, it makes no difference to me since I just need to know which way to deal with it.

So Ruby can really only support only a single parameter with a given name?  It will not collect those into an array or anything?

Paul

From: James M Snell [mailto:jasnell@gmail.com<http://gmail.com>]
Sent: Saturday, December 22, 2012 7:51 PM
To: Paul E. Jones
Cc: nov matake; Melvin Carvalho; webfinger@ietf.org<mailto:webfinger@ietf.org>
Subject: Re: [webfinger] feedback for multiple "rel"

Spaces in rel values are already illegal.. specifically, spaces are disallowed in registered link relations and non-escaped spaces are disallowed in absolute IRI's.. A comma delimited list of rel's is better than multiple individual parameters.. even with the potential need for double encoding.



On Sat, Dec 22, 2012 at 4:00 PM, Paul E. Jones <paulej@packetizer.com<mailto:paulej@packetizer.com>> wrote:
If we made it a requirement that "rel" values have no spaces (which I would argue is a damn good thing for many reasons) then we would not have to double-encode.

Paul

From: webfinger-bounces@ietf.org<mailto:webfinger-bounces@ietf.org> [mailto:webfinger-bounces@ietf.org<mailto:webfinger-bounces@ietf.org>] On Behalf Of nov matake
Sent: Saturday, December 22, 2012 11:12 AM
To: Melvin Carvalho

Cc: webfinger@ietf.org<mailto:webfinger@ietf.org>
Subject: Re: [webfinger] feedback for multiple "rel"

BTW, why double encoding lead "problems with things like canonical urls and search engines"?
Can you provide more details?

If 2 rel included, the response would be different than when only 1 rel given.
So I feel those 2 are not the same, and can be indexed as 2 resources..

On 2012/12/23, at 0:44, Melvin Carvalho <melvincarvalho@gmail.com<mailto:melvincarvalho@gmail.com>> wrote:


On 22 December 2012 05:48, nov matake <matake@gmail.com<mailto:matake@gmail.com>> wrote:
Hi,

I have a comment for they way to specify multiple "rel" values.

As a ruby library developer, my main target is rails developers.
Since rails can't handle multiple same query keys, developers will need to hack query params parser in rails middleware layer.
I can easily imagine it'll be an annoying part to support webfinger in rails.

Is the multiple "rel" case can be a space-delimitered (or some other character) strings like multiple redirect_uri in OAuth2?
Or any reason for putting multiple same keys in query parameters?

each time you delimit a list, you have to be able to escape the delimiter, which can be a pain and also leads to problems with things like canonical urls and search engines

can you use mod_rewrite?


Cheers,

Nov Matake
_______________________________________________
webfinger mailing list
webfinger@ietf.org<mailto:webfinger@ietf.org>
https://www.ietf.org/mailman/listinfo/webfinger



_______________________________________________
webfinger mailing list
webfinger@ietf.org<mailto:webfinger@ietf.org>
https://www.ietf.org/mailman/listinfo/webfinger

_______________________________________________
webfinger mailing list
webfinger@ietf.org<mailto:webfinger@ietf.org>
https://www.ietf.org/mailman/listinfo/webfinger

v2.23.0 | Report a Bug | By Email