On Wed, May 5, 2010 at 11:09 AM, Eran Hammer-Lahav <e...@hueniverse.com>wrote:
> Consensus is that JSON is the right format for token responses in the > message body. As for the User Agent flow, that should remain form-encoded in > the fragment (I think). > I'm fine with JSON in the message body. I assume we would also use URL parameters for the Web App flow when redirecting with the verification code. > > > EHL > > > > *From:* Evan Gilbert [mailto:uid...@google.com] > *Sent:* Wednesday, May 05, 2010 10:07 AM > *To:* Eran Hammer-Lahav > *Cc:* Torsten Lodderstedt; oauth@ietf.org > > *Subject:* Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON > (Proposal) > > > > > > On Wed, May 5, 2010 at 8:28 AM, Eran Hammer-Lahav <e...@hueniverse.com> > wrote: > > I'll add something to the draft and we'll discuss it. There is enough > consensus on a single JSON response format. > > > > Responses that are returned via a browser URL should > be application/x-www-form-urlencoded. These parameters are standard to parse > in any HTTP handling library and JSON only adds complexity and external > library requirements. > > > > I'm not positive we need to support JSON at all. > > > > But if we support both JSON and application/x-www-form-urlencoded, I think > the pattern should be: > > - application/x-www-form-urlencoded for requests/responses in a browser > > - JSON otherwise (including requests) > > > > > > > EHL > > > > > -----Original Message----- > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > > Of Torsten Lodderstedt > > > Sent: Friday, April 30, 2010 2:00 AM > > To: Brian Eaton > > > Cc: oauth@ietf.org > > Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON > > (Proposal) > > > > > > Zitat von Brian Eaton <bea...@google.com>: > > > > > On Thu, Apr 29, 2010 at 2:40 PM, Mike Moore <blowm...@gmail.com> > > wrote: > > >> On Thu, Apr 29, 2010 at 2:49 PM, Yaron Goland <yar...@microsoft.com> > > wrote: > > >>> > > >>> Can we please just have one format, not 3? The more choices we give > > >>> the more interoperability suffers. > > > > > > Yes. The number of parsers needed to make a working system is > > > important. The spec has too many already. > > > > > > I'd like to see authorization servers returning JSON or XML, since > > > that's what the resource servers are doing. > > > > > > ...and given a choice between JSON and XML, I'd pick JSON. > > > > > > > I agree. At Deutsche Telekom, we try to align our authorization APIs with > the > > APIs provided by the resource servers. Authorization is "just" a small, > but > > important, portion of the overall process and aligning it with the rest > > increases acceptance and decreases error rate. > > > > None of the APIs we provide uses form encoding, most of them use JSON, > > some XML. > > Based on that observation I would like to see at least JSON support in > OAuth. > > So JSON as the only would be fine with me. > > > > My proposal is based on the observation that the WG did not come to a > > consensus about the one and only format. > > > > I have collected the following opinions from the thread: > > > > pro additional support for JSON and XML - Marius Scurtescu, John Jawed, > > Richard Barnes, Brian Eaton, Torsten Lodderstedt pro additional support > for > > JSON - Dick Hardt (initiated the thread), Joseph Smarr still support > > application/x-www-form-urlencoded (unclear whether > > exclusively) - David Recordon, Gaurav Rastogi one format only (preference > > unclear) - Yaron Goland JSON as the only format (if forced to decide for > a > > single format) - Brian Eaton, Torsten Lodderstedt JSON as the only format > - > > James Manger, Robert Sayre application/x-www-form-urlencoded as the > > only format - Mike Moore JSON for responses as well - Marius Scurtescu > > > > Here are some representative comments from the thread: > > > > Joseph Smarr - "JSON is already widely supported (presumably including by > > most APIs that you're building OAuth support to be able to access!" > > > > David Recordon - "it's drastically more complex for environments (like > > embedded hardware) which doesn't support JSON." > > > > Paul C. Bryan - "I'm struggling to imagine hardware that on the one hand > > would support OAuth, but on the other would be incapable of supporting > > JSON..." > > > > Gaurav Rastogi - "There are enough number of small embedded software > > stack where JSON is not an option." > > > > So we have at least 9 votes pro JSON, but also 1 vote for > application/x-www- > > form-urlencoded only. > > > > How shall we proceed? Can we come to a consensus? > > > > regards, > > Torsten. > > > > > Cheers, > > > Brian > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
