On Wed, May 5, 2010 at 10:59 AM, Evan Gilbert <[email protected]> wrote:
> > > On Wed, May 5, 2010 at 10:47 AM, Torsten Lodderstedt < > [email protected]> wrote: > >> Even if not supported directly by the platform there are many JSON >> libraries available these days. >> > > It's not hard to add JSON support, but it's a factor in the choice. > > >> >> http://www.json.org/ lists 3 libraries for Objective-C alone. >> >> Moreover, the JSON documents we are discussing now are simple, something >> like >> >> >> { "access_token": "SlAV32hkKG", "expires_in": "3600", "refresh_token": >> "8xLOxBtZp8" } >> >> Parsing such a document is not a challenge even without library support. >> > > Per notes above - the client needs to do understand form encoding anyway. > The client needs to parse the redirect_uri and also needs to generate form > encoded requests. > Also, for the User-Agent flow, parsing potentially untrusted JSON in JavaScript is difficult. The normal path of using eval() is unsafe and leads to XSS holes - you need to run regex matcher to verify that the JSON content has no executable code. > > >> >> Regarding code size: What really matters on mobile devices from my point >> of view is the size of data to be transmitted. Here, JSON is much more >> compact than XML. >> >> regards, >> Torsten. >> >> Am 05.05.2010 17:42, schrieb Marius Scurtescu: >> >> On Wed, May 5, 2010 at 8:28 AM, Eran Hammer-Lahav<[email protected]> >>> wrote: >>> >>> >>>> I'll add something to the draft and we'll discuss it. There is enough >>>> consensus on a single JSON response format. >>>> >>>> >>> Yesterday I got the following feedback: >>> >>> On Tue, May 4, 2010 at 5:43 PM, Greg Robbins<[email protected]> >>> wrote: >>> >>> >>>> Using JSON on the iPhone requires developers to drag in source code for >>>> a >>>> third-party library. >>>> >>>> If their app isn't already relying on JSON for some other purpose, then >>>> adding a third-party library is a somewhat substantial annoyance, >>>> particularly for a mobile app where code size is important. >>>> >>>> If OAuth 2 is only intended for use with JSON APIs, then returning all >>>> responses as JSON is reasonable. Otherwise, it's not so reasonable. A >>>> full >>>> JSON parser is non-trivial, and seems like overkill for simple >>>> responses. >>>> >>>> The iPhone OS does have libxml2 and an event-style XML parser, but no >>>> really >>>> easy way to extract data from XML, either. >>>> >>>> Form-style responses are much more straightforward to worth with given >>>> simple string-manipulation utilities. >>>> >>>> >>> If the above is true, then I am not so sure about JSON anymore. Lots >>> of phones and devices will have problems with it. >>> >>> Marius >>> >>> >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
