Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Marius, >> I wouldn't be surprised if, in some scenarios, the token info gets too big >> to fit in a URI. In that case even the user-agent flow will need to make a >> direct request to get the token info, which is more likely to be delivered >> as JSON. OpenID and SAML have found they need thi

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On Wed, May 19, 2010 at 6:33 PM, Manger, James H wrote: > Marius, > >> Only direct responses are JSON, form/url encoded >> still has to be used: >> - direct requests >> - through browser requests >> - through browser responses >> - through browser fragment responses > > A better solution would be

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On Wed, May 19, 2010 at 6:33 PM, Manger, James H < james.h.man...@team.telstra.com> wrote: > Marius, > > > Only direct responses are JSON, form/url encoded > > still has to be used: > > - direct requests > > - through browser requests > > - through browser responses > > - through browser fragment

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

> -Original Message- > From: Marius Scurtescu [mailto:mscurte...@google.com] > Sent: Wednesday, May 19, 2010 5:43 PM > To: Eran Hammer-Lahav > Cc: Yaron Goland; OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) > > On

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Marius, > Only direct responses are JSON, form/url encoded > still has to be used: > - direct requests > - through browser requests > - through browser responses > - through browser fragment responses A better solution would be to change the last two (token info delivered in a callback URIs) so

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Original Message- >> From: Yaron Goland [mailto:yar...@microsoft.com] >> Sent: Monday, May 17, 2010 2:58 PM >> To: Kris Selden; Eran Hammer-Lahav >> Cc: OAuth WG (oauth@ietf.org) >> Subject: RE: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) >> >> My

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

attention to other others. This is an > inevitable > trade off given the difficulties of fully testing even basic formats. > > Thanks, > > Yaron > > > > -Original Message----- > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On Behalf > Of Kris Selden > Sent: Friday, May 14, 2010 1:29 PM > To: Eran Hammer-Lahav > Cc: OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) > > The only reason I've heard was interoperability but it is always stated as > p

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

y, May 13, 2010 4:27 PM >> To: Eran Hammer-Lahav >> Cc: Yaron Goland; OAuth WG (oauth@ietf.org) >> Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) >> >> On Thu, May 13, 2010 at 5:14 PM, Eran Hammer-Lahav >> wrote: >>> There is cl

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

owing along, we are talking about section 3.9? Yaron -Original Message- From: Eran Hammer-Lahav [mailto:e...@hueniverse.com] Sent: Tuesday, May 11, 2010 4:37 PM To: Yaron Goland; Torsten Lodderstedt Cc: OAuth WG (oauth@ietf.org) Subject: RE: [OAUTH-WG] Open Issues: Group Survey

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

> -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Greg Brail > Sent: Thursday, May 13, 2010 6:57 PM >Eran or whoemever is so empowered were to choose No one is empowered to choose. We need to keep at it until we reach consensus, but some

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

uth@ietf.org) Subject: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) DEADLINE: 5/13 I would like to publish one more draft before our interim meeting in two weeks (5/20). Below are two open issues we have on the list. Please reply with your preference (or additional solutions) to each item. Is

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On Thu, May 13, 2010 at 7:43 PM, Eran Hammer-Lahav wrote: > Can you give a reason why you are objecting to C. > As I just wrote: > My objection to C was that your examples were buggy. I don't think servers or clients will get XML, JSON, and form-encoded right without taking on a lot of 3rd party

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Can you give a reason why you are objecting to C. EHL > -Original Message- > From: Robert Sayre [mailto:say...@gmail.com] > Sent: Thursday, May 13, 2010 4:27 PM > To: Eran Hammer-Lahav > Cc: Yaron Goland; OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Open Is

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On Thu, May 13, 2010 at 5:14 PM, Eran Hammer-Lahav wrote: > There is clearly no consensus for either A or B. There was mostly no > objection to C, > and the reason given by most of those who objected was client complexity with > the current proposal solves. My objection to C was that your examp

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

- No preference > > > > > -Original Message- > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > > Of Eran Hammer-Lahav > > Sent: Thursday, May 13, 2010 10:01 AM > > To: OAuth WG (oauth@ietf.org) > > Subject: Re: [OAUT

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

iginal Message- > From: Eran Hammer-Lahav [mailto:e...@hueniverse.com] > Sent: Tuesday, May 11, 2010 4:37 PM > To: Yaron Goland; Torsten Lodderstedt > Cc: OAuth WG (oauth@ietf.org) > Subject: RE: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) > > No one

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

r-Lahav > Sent: Thursday, May 13, 2010 10:01 AM > To: OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) > > Thanks to those who participated! > > Some conclusions: > > > 1. Server Response Format > > > > Af

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Thanks to those who participated! Some conclusions: > 1. Server Response Format > > After extensive debate, we have a large group in favor of using JSON as the > only response format (current draft). We also have a smaller group but with > stronger feelings on the subject that JSON adds complexi

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

(oauth@ietf.org) > Subject: RE: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) > > Actually it's server side that's the problem. Many servers limit the size of > the > HTTP request headers they will accept. Apache 2.2, for example, uses the > LimitRequestFieldSize Di

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

submitted. Yaron > -Original Message- > From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] > Sent: Monday, May 10, 2010 10:47 PM > To: Yaron Goland > Cc: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Open Issues: Group Surv

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On Tue, May 11, 2010 at 3:33 AM, Vivek Khurana wrote: > On Mon, May 10, 2010 at 2:36 AM, Eran Hammer-Lahav > wrote: >> DEADLINE: 5/13 >> >> I would like to publish one more draft before our interim meeting in two >> weeks (5/20). Below are two open issues we have on the list. Please reply >> w

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Am 11.05.2010 12:33, schrieb Vivek Khurana: 2. Client Authentication (in flows) How should the client authenticate when making token requests? The current draft defines special request parameters for sending client credentials. Some have argued that this is not the correct way, and that the cl

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On Mon, May 10, 2010 at 2:36 AM, Eran Hammer-Lahav wrote: > DEADLINE: 5/13 > > I would like to publish one more draft before our interim meeting in two > weeks (5/20). Below are two open issues we have on the list. Please reply > with your preference (or additional solutions) to each item. Issue

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On 2010/05/11 12:49, Robert Sayre wrote: > What /would/ be nice is an HTTP authentication scheme that used some > sort of PAKE... but don't gate the OAuth spec on that. FYI for people interested: my proposal for PAKE-based HTTP authentication submitted as an Internet-Draft:

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On 2010/05/11 12:49, Robert Sayre wrote: > Basic leaves the input character encoding unspecified, so it doesn't > handle anything but ASCII in an interoperable way. OAuth > implementations will certainly screw this up too, but I suspect it > will be somewhat less buggy, since most people will prob

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On 10/05/2010 23:38, Joseph Smarr wrote: > Oh, one other quick benefit of JSON (kind of an extension of point 1 below): > > - no ambiguous treatment of whitespace or newlines (this is a problem > I've observed multiple times while helping developers debug OAuth 1.0 > implementations--since they ju

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Am 11.05.2010 01:43, schrieb Yaron Goland: --- 2. Client Authentication (in flows) How should the client authenticate when making token requests? The current draft defines special request parameters for sending client credentials. Some have argued that this is not the correct way, and that th

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On Mon, May 10, 2010 at 10:43 PM, Eran Hammer-Lahav wrote: > > What? > > Basic auth seems to be working just fine for the entire web... I hadn't heard of implementations hitting a limitation on header size, but Basic and Digest are both broken. Basic leaves the input character encoding unspecifi

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

> -Original Message- > From: Yaron Goland [mailto:yar...@microsoft.com] > Sent: Monday, May 10, 2010 4:43 PM > > 2. Client Authentication (in flows) > > > > How should the client authenticate when making token requests? The > > current draft defines special request parameters for sendin

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Please see inline > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Sunday, May 09, 2010 2:07 PM > To: OAuth WG (oauth@ietf.org) > Subject: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13) &

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Oh, one other quick benefit of JSON (kind of an extension of point 1 below): - no ambiguous treatment of whitespace or newlines (this is a problem I've observed multiple times while helping developers debug OAuth 1.0 implementations--since they just split on & and =, they often don't trim extra wh

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Let me try to offer some of those "logical, positive statements in favour of the technical merits of JSON over the original format choice" for those that aren't familiar or haven't gleaned them from the thread thus far: - unambiguous spec for encoding/decoding (including how to represent spaces an

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On 10/05/2010 15:56, Dick Hardt wrote: > > On 2010-05-10, at 1:11 AM, Pid wrote: > >> On 10/05/2010 07:57, Joseph Smarr wrote: 1. Server Response Format >>> >>> I vote for B, though I could live with C. (A would make me sad though) >>> >>> We've had a healthy and reasonable debate about the

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Am 09.05.2010 23:06, schrieb Eran Hammer-Lahav: DEADLINE: 5/13 I would like to publish one more draft before our interim meeting in two weeks (5/20). Below are two open issues we have on the list. Please reply with your preference (or additional solutions) to each item. Issues with consensus w

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On Sun, May 9, 2010 at 3:06 PM, Eran Hammer-Lahav wrote: > DEADLINE: 5/13 > > I would like to publish one more draft before our interim meeting in two > weeks (5/20). Below are two open issues we have on the list. Please reply > with your preference (or additional solutions) to each item. Issues w

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On 2010-05-10, at 1:11 AM, Pid wrote: > On 10/05/2010 07:57, Joseph Smarr wrote: >>> 1. Server Response Format >> >> I vote for B, though I could live with C. (A would make me sad though) >> >> We've had a healthy and reasonable debate about the trade-offs here, but >> I think the main countera

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

1. Server Response Format A. Form-encoded only (original draft) B. JSON only (current draft) C. JSON as default with form-encoded and XML available with an optional request parameter Vote for C, to be specified as: "Server MUST support JSON, form-encoded, and XML. Client MAY request any of

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

> 1. Server Response Format No Preference > 2. Client Authentication (in flows) > A. Client authenticates by sending its credentials using special parameters (current draft) > B. Client authenticated by using HTTP Basic (or other schemes supported by the server such as Digest) Prefer B Mark

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On 10/05/2010 07:57, Joseph Smarr wrote: >> 1. Server Response Format > > I vote for B, though I could live with C. (A would make me sad though) > > We've had a healthy and reasonable debate about the trade-offs here, but > I think the main counterargument for requiring JSON support is that it's >

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

> 1. Server Response Format I vote for B, though I could live with C. (A would make me sad though) We've had a healthy and reasonable debate about the trade-offs here, but I think the main counterargument for requiring JSON support is that it's not quite yet a "no-brainer" to have JSON support in

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On May 9, 2010, at 3:06 PM, Eran Hammer-Lahav wrote: > > 1. Server Response Format > > After extensive debate, we have a large group in favor of using JSON as the > only response format (current draft). We also have a smaller group but with > stronger feelings on the subject that JSON adds com

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

No strong views on either one. > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Sunday, May 09, 2010 2:07 PM > To: OAuth WG (oauth@ietf.org) > Subject: [OAUTH-WG] Open Issues: Group Surve

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Response inline. On Sun, May 9, 2010 at 5:17 PM, Dick Hardt wrote: > > On 2010-05-09, at 2:06 PM, Eran Hammer-Lahav wrote: > > > DEADLINE: 5/13 > > > > I would like to publish one more draft before our interim meeting in two > weeks (5/20). Below are two open issues we have on the list. Please r

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

> 1. Server Response Format > > A. Form-encoded only (original draft) > B. JSON only (current draft) > C. JSON as default with form-encoded and XML available with an optional > request parameter I vote for B B doesn't stop specific services also offering form-encoded or XML variants -- particu

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On 2010-05-09, at 2:06 PM, Eran Hammer-Lahav wrote: > DEADLINE: 5/13 > > I would like to publish one more draft before our interim meeting in two > weeks (5/20). Below are two open issues we have on the list. Please reply > with your preference (or additional solutions) to each item. Issues wi

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

On Sun, May 9, 2010 at 2:06 PM, Eran Hammer-Lahav wrote: > DEADLINE: 5/13 > > I would like to publish one more draft before our interim meeting in two > weeks (5/20). Below are two open issues we have on the list. Please reply > with your preference (or additional solutions) to each item. Issues

[OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

DEADLINE: 5/13 I would like to publish one more draft before our interim meeting in two weeks (5/20). Below are two open issues we have on the list. Please reply with your preference (or additional solutions) to each item. Issues with consensus will be incorporated into the next draft. Those wi