On Tue, Jul 12, 2011 at 11:10, Eran Hammer-Lahav <[email protected]> wrote:
> Requiring parsing of the response type parameter is a big change at this 
> point. Even if it is a decent idea, I'm against it for the sole reason that I 
> don't want to introduce such a change - we're done.
>
> The + character makes reading values easier because it give composites of 
> existing, individually defined values, a special meaning to *people*, but it 
> does not change any existing code or adds any work. Servers will still 
> perform simple string comparison. Parsing a list of values is unnecessary 
> complexity. Developers can learn to put values in their expected order (since 
> they are all going to cut-n-paste anyway).

I disagree. I believe that servers will either not support the
composite types at all, or will allow developers to enter it into any
order to avoid developer pain.

Also, developers will _not_ cut-and-paste. They will expect the fact
that order is not meaningful by interacting with providers that don't
perform exact string matching and then have interoperability issues
with compliant implementations.

>
> I rather drop the special character then add parsing, but I think it is a 
> useful *convention*.
>
> Do people want to keep it or drop it?
>
> EHL
>
>
>> -----Original Message-----
>> From: Breno de Medeiros [mailto:[email protected]]
>> Sent: Tuesday, July 12, 2011 10:59 AM
>> To: Eran Hammer-Lahav
>> Cc: Marius Scurtescu; OAuth WG
>> Subject: Re: [OAUTH-WG] defining new response types
>>
>> Imposing order and exact string matching on response_type's while
>> simultaneously supporting a special character '+' and introducing the concept
>> of composite response_type is a poor compromise, IMNSHO. What is the
>> rationale to fear allowing multiple-valued response_type as we have for
>> other parameters in the spec?
>>
>> On Mon, Jul 11, 2011 at 18:51, Eran Hammer-Lahav <[email protected]>
>> wrote:
>> > As for the plus encoding we can choose another char or give an example.
>> >
>> > On Jul 11, 2011, at 18:07, "Marius Scurtescu" <[email protected]>
>> wrote:
>> >
>> >> If I read section 8.4 correctly it seems that new response types can
>> >> be defined but composite values must be registered explicitly.
>> >>
>> >> I don't think this approach scales too well. OpenID Connect for
>> >> example is adding a new response type: id_token.
>> >>
>> >> id_token can be combined with either code or token and potentially
>> >> with both of them, the following combinations must be registered as a
>> >> result:
>> >> code+id_token
>> >> token+id_token
>> >> code+token+id_token
>> >>
>> >> and this assumes that code+token is already registered.
>> >>
>> >> I think it makes more sense to define response_type as a space
>> >> separated list of items, where each item can be individually
>> >> registered. I do realize that this complicates things quite a bit
>> >> (not we have to define and deal with both composite response_type and
>> >> the individual items).
>> >>
>> >> As a side note, using + as separator could cause lots of problems. If
>> >> people naively type "code+toke" it will be decoded as "code token".
>> >> No one will remember the hex code for +.
>> >>
>> >> Marius
>> >> _______________________________________________
>> >> OAuth mailing list
>> >> [email protected]
>> >> https://www.ietf.org/mailman/listinfo/oauth
>> >
>>
>>
>>
>> --
>> --Breno
>



-- 
--Breno
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to