+1 on JSON in response bodies -1 on JSON in URL query parameters or fragments.
Dirk. On Sun, Jun 13, 2010 at 2:46 AM, Evan Gilbert <uid...@google.com> wrote: > -1 > > I disagree very strongly with this approach if I'm understanding > correctly. Let me paraphrase to make sure I understand: > > All responses, even those encoded in a browser URL redirect back from the > AS (redirect with verification code in the web server flow and the redirect > with token in the user-agent flow) will be JSON > > This means that we will have a URL-encoded JSON blob as a form parameter > (as it has to play nicely with existing URL parameters). So the response > back in the web server flow would be: > > https://client.com/receiveVerificationCode?existingParam=value&oauth2=%7Bcode%3A'abc123'%2C+state%3A+'randomstatedata'%7D > > and the response back in the user-agent flow would be > > https://client.com/page?existingParam=value&oauth2=%7Baccess_token%3A+'accesstoken1234'%2Cexpires_in%3A3600%2Cstate%3A'randomstatedata'%7D > > Reasons why this is of concern: > - Requires clients to do URL decoding *and* JSON decoding > - Encourages unsafe JSON handling in the User-Agent flow (eval(JSON) = XSS > hole) > - Breaks the simple model we've been creating in these flows. > > Evan > > On Fri, Jun 11, 2010 at 1:51 PM, Robert Sayre <say...@gmail.com> wrote: > >> +1 >> >> On Fri, Jun 11, 2010 at 1:17 AM, Naitik Shah <n...@daaku.org> wrote: >> > +1 >> > >> > On Thu, Jun 10, 2010 at 5:50 PM, Luke Shepard <lshep...@facebook.com> >> wrote: >> >> >> >> +1 >> >> >> >> On Jun 10, 2010, at 5:46 PM, Manger, James H wrote: >> >> >> >> > +1 >> >> > >> >> > -- >> >> > James Manger >> >> > >> >> > ---------- >> >> > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On >> Behalf >> >> > Of Eran Hammer-Lahav >> >> > Sent: Friday, 11 June 2010 6:29 AM >> >> > To: OAuth WG (oauth@ietf.org) >> >> > Subject: [OAUTH-WG] Proposal for single JSON response format >> >> > >> >> > - Support a single response format (including in the user-agent >> >> > fragment) using JSON. >> >> > _______________________________________________ >> >> > OAuth mailing list >> >> > OAuth@ietf.org >> >> > https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> >> OAuth mailing list >> >> OAuth@ietf.org >> >> https://www.ietf.org/mailman/listinfo/oauth >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> > >> > >> >> >> >> -- >> >> Robert Sayre >> >> "I would have written a shorter letter, but I did not have the time." >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
