Indeed, recognizing that you're right that "you can't do that" with the current
syntax, we decided to change scope to quoted-string so that it is compatible
with HTTPbis and add the restriction that no "\" quoting may be present in the
string (to simplify implementations).
-- Mike
-----Original Message-----
From: Julian Reschke [mailto:[email protected]]
Sent: Friday, October 14, 2011 9:11 AM
To: Mike Jones
Cc: OAuth WG
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed
Resolutions
On 2011-10-14 17:52, Julian Reschke wrote:
> On 2011-10-14 17:42, Mike Jones wrote:
>> Thanks for the useful discussion and the write-up, Hannes. For
>> context, Hannes and I discussed how to resolve the remaining Bearer
>> spec issues in a manner that meets the needs of implementations and
>> will not generate objections during the IESG or IETF Last Call
>> reviews. A few additional comments...
>>
>> 1. Error Description - Nothing to add to Hannes' write-up.
>>
>> 2. Scope - I was planning to allow a broader set of ASCII characters
>> than the "token" set, as these characters are inadequate for the use
>> of URIs/URLs as scope elements. In particular, scope elements need to
>> permit the full sets of "reserved"
>> <http://tools.ietf.org/html/rfc3986#section-2.2>and "unreserved"
>> <http://tools.ietf.org/html/rfc3986#section-2.3>characters in RFC
>> 3986 <http://tools.ietf.org/html/rfc3986>. The draft I am working on
>> will say that scope is a space separated set of elements, where the
>> elements consist of one or more characters from the union of the
>> "reserved" and "unreserved" sets.
>> ...
>
> If you do that, you'll need to be careful with the encoding in case
> you stick with x-www-url-encoded (SP -> "+" etc).
Sorry, /me confused.
Looked again at
<https://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-09#section-2.4>:
scope = "scope" "=" <"> scope-v *( SP scope-v ) <">
scope-v = 1*quoted-char
quoted-char = ALPHA / DIGIT /
"!" / "#" / "$" / "%" / "&" / "'" / "(" / ")" /
"*" / "+" / "-" / "." / "/" / ":" / "<" / "=" /
">" / "?" / "@" / "[" / "]" / "^" / "_" / "`" /
"{" / "|" / "}" / "~" / "\" / "," / ";"
You can't do this, as it conflicts with the syntax for quoted-string.
So the right way to do this is to say:
scope = "scope" *SP "=" *SP ( token / quoted-string )
and then have prose constrain the value of the param after potentially
unescaping the quoted-string.
Best regards, Julian
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
