Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Link relations in HTTP Link header conflict with RFC 5988. #17

Open
Zegnat opened this issue Feb 15, 2018 · 5 comments
Open

Link relations in HTTP Link header conflict with RFC 5988. #17

Zegnat opened this issue Feb 15, 2018 · 5 comments

Comments

@Zegnat
Copy link
Member

Zegnat commented Feb 15, 2018

IndieAuth registers 3 link relations: authorization_endpoint, token_endpoint, and redirect_uri. Additionally it requires both clients and servers to check HTTP Link headers for URLs with these relations.

According to RFC 5988 (as cited by IndieAuth) an _ (underscore) cannot be used by a link relation within the header field. A link’s relation type must match:

  relation-type  = reg-rel-type | ext-rel-type
  reg-rel-type   = LOALPHA *( LOALPHA | DIGIT | "." | "-" )
  ext-rel-type   = URI

RFC 8288 (which replaces RFC 5988, cf. #15) does not solve this for us. There a link’s relation type is defined using a slightly different ABNF but otherwise unchanged:

  relation-type  = reg-rel-type / ext-rel-type
  reg-rel-type   = LOALPHA *( LOALPHA / DIGIT / "." / "-" )
  ext-rel-type   = URI ; Section 3 of [RFC3986]
@aaronpk
Copy link
Member

aaronpk commented Jul 7, 2018

I'm not sure the best path forward on this. We used underscores for authorization_endpoint because that's the same name as the property in OpenID Connect Discovery.

It seems that parsers are not breaking on the underscore, so I would hate to make a breaking change in the spec just to stay conformant with RFC 5988/8288 when in reality the live code seems to not care.

@Zegnat
Copy link
Member Author

Zegnat commented Jul 13, 2018

[…] I would hate to make a breaking change in the spec just to stay conformant with RFC 5988/8288 when in reality the live code seems to not care.

I agree. So this becomes a question of whether the IndieAuth specification needs to call notice to this deviation from RFC 8288. Alternatively the issue gets ignored completely, or it is filed somewhere else.

As far as link relations in HTML are concerned, the WHATWG accepts any “JavaScript string” (basically: any valid UTF string) that does not contain ASCII whitespace. As long as the type is “registered in the microformats wiki”. Underscores are definitely fine there, and have some prior art.

@jgarber623 jgarber623 mentioned this issue May 28, 2019
Open
@aaronpk
Copy link
Member

aaronpk commented Aug 22, 2020

Perhaps the way forward on this is to switch to an IndieAuth Server Metadata URL #43 and use a name that isn't disallowed for that endpoint.

@aaronpk aaronpk mentioned this issue Oct 16, 2021
Closed
@dshanske
Copy link
Member

dshanske commented Mar 5, 2022

@Zegnat Do you consider this resolved as we used a - in the replacement for these, save redirect_uri ?

@Zegnat
Copy link
Member Author

Zegnat commented May 28, 2024

@dshanske Feels like this is pending closing by #133. As that would potentially introduce a different recommended way to detect redirect_uri (as redirect_urls) in the Client ID Document.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aaronpk @Zegnat @dshanske