I actually have a preference for application/x-www-form-urlencoded but it's not
overwhelming, the key thing I believe we need to do is have exactly one
request/response format. In other words, I don't believe we should use one
format for requests and another for responses. Just pick one for both.
Thanks,
Yaron
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of Torsten Lodderstedt
> Sent: Friday, April 30, 2010 2:00 AM
> To: Brian Eaton
> Cc: [email protected]
> Subject: Re: [OAUTH-WG] application/x-www-form-urlencoded vs JSON
> (Proposal)
>
>
> Zitat von Brian Eaton <[email protected]>:
>
> > On Thu, Apr 29, 2010 at 2:40 PM, Mike Moore <[email protected]>
> wrote:
> >> On Thu, Apr 29, 2010 at 2:49 PM, Yaron Goland <[email protected]>
> wrote:
> >>>
> >>> Can we please just have one format, not 3? The more choices we give
> >>> the more interoperability suffers.
> >
> > Yes. The number of parsers needed to make a working system is
> > important. The spec has too many already.
> >
> > I'd like to see authorization servers returning JSON or XML, since
> > that's what the resource servers are doing.
> >
> > ...and given a choice between JSON and XML, I'd pick JSON.
> >
>
> I agree. At Deutsche Telekom, we try to align our authorization APIs with the
> APIs provided by the resource servers. Authorization is "just" a small, but
> important, portion of the overall process and aligning it with the rest
> increases acceptance and decreases error rate.
>
> None of the APIs we provide uses form encoding, most of them use JSON,
> some XML.
> Based on that observation I would like to see at least JSON support in OAuth.
> So JSON as the only would be fine with me.
>
> My proposal is based on the observation that the WG did not come to a
> consensus about the one and only format.
>
> I have collected the following opinions from the thread:
>
> pro additional support for JSON and XML - Marius Scurtescu, John Jawed,
> Richard Barnes, Brian Eaton, Torsten Lodderstedt pro additional support for
> JSON - Dick Hardt (initiated the thread), Joseph Smarr still support
> application/x-www-form-urlencoded (unclear whether
> exclusively) - David Recordon, Gaurav Rastogi one format only (preference
> unclear) - Yaron Goland JSON as the only format (if forced to decide for a
> single format) - Brian Eaton, Torsten Lodderstedt JSON as the only format -
> James Manger, Robert Sayre application/x-www-form-urlencoded as the
> only format - Mike Moore JSON for responses as well - Marius Scurtescu
>
> Here are some representative comments from the thread:
>
> Joseph Smarr - "JSON is already widely supported (presumably including by
> most APIs that you're building OAuth support to be able to access!"
>
> David Recordon - "it's drastically more complex for environments (like
> embedded hardware) which doesn't support JSON."
>
> Paul C. Bryan - "I'm struggling to imagine hardware that on the one hand
> would support OAuth, but on the other would be incapable of supporting
> JSON..."
>
> Gaurav Rastogi - "There are enough number of small embedded software
> stack where JSON is not an option."
>
> So we have at least 9 votes pro JSON, but also 1 vote for application/x-www-
> form-urlencoded only.
>
> How shall we proceed? Can we come to a consensus?
>
> regards,
> Torsten.
>
> > Cheers,
> > Brian
> > _______________________________________________
> > OAuth mailing list
> > [email protected]
> > https://www.ietf.org/mailman/listinfo/oauth
> >
>
>
>
>
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
