-1 I disagree very strongly with this approach if I'm understanding correctly. Let me paraphrase to make sure I understand:
All responses, even those encoded in a browser URL redirect back from the AS (redirect with verification code in the web server flow and the redirect with token in the user-agent flow) will be JSON This means that we will have a URL-encoded JSON blob as a form parameter (as it has to play nicely with existing URL parameters). So the response back in the web server flow would be: https://client.com/receiveVerificationCode?existingParam=value&oauth2=%7Bcode%3A'abc123'%2C+state%3A+'randomstatedata'%7D and the response back in the user-agent flow would be https://client.com/page?existingParam=value&oauth2=%7Baccess_token%3A+'accesstoken1234'%2Cexpires_in%3A3600%2Cstate%3A'randomstatedata'%7D Reasons why this is of concern: - Requires clients to do URL decoding *and* JSON decoding - Encourages unsafe JSON handling in the User-Agent flow (eval(JSON) = XSS hole) - Breaks the simple model we've been creating in these flows. Evan On Fri, Jun 11, 2010 at 1:51 PM, Robert Sayre <say...@gmail.com> wrote: > +1 > > On Fri, Jun 11, 2010 at 1:17 AM, Naitik Shah <n...@daaku.org> wrote: > > +1 > > > > On Thu, Jun 10, 2010 at 5:50 PM, Luke Shepard <lshep...@facebook.com> > wrote: > >> > >> +1 > >> > >> On Jun 10, 2010, at 5:46 PM, Manger, James H wrote: > >> > >> > +1 > >> > > >> > -- > >> > James Manger > >> > > >> > ---------- > >> > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On > Behalf > >> > Of Eran Hammer-Lahav > >> > Sent: Friday, 11 June 2010 6:29 AM > >> > To: OAuth WG (oauth@ietf.org) > >> > Subject: [OAUTH-WG] Proposal for single JSON response format > >> > > >> > - Support a single response format (including in the user-agent > >> > fragment) using JSON. > >> > _______________________________________________ > >> > OAuth mailing list > >> > OAuth@ietf.org > >> > https://www.ietf.org/mailman/listinfo/oauth > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > -- > > Robert Sayre > > "I would have written a shorter letter, but I did not have the time." > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
