The <error-desc> value should just be <quoted-string>. The current ABNF implies you can include raw (unescaped) " and \ characters in the value (as they are chars in <VCHAR>) - but that breaks parsing. If the intention was not to allow senders to use escapes then <error-desc-char> needs to be <%x20-%x21 / %x23-5B / %x5D-7E>. If that is the intention why not disallow escapes from <error> as well?
Section 3 "The WWW-Authenticate Response Header Field" OLD: error-desc = "error_description" "=" DQUOTE *error-desc-char DQUOTE error-desc-char = SP / VCHAR NEW: error-desc = "error_description" "=" quoted-string The note about being allowed to parse <scope> with a quoted-string parser should also apply to <error-desc> and <error-uri> as well. Perhaps a better approach is to: defined <scope>, <error>, <error-desc>, and <error-uri> values as <quoted-string>; add text saying senders MUST NOT use quoted-string's escape mechanism (so " and \ cannot appear in the values), though receivers MAY use a standard quoted-string parser; say the <error-uri> value must match <URI-reference>; say the <scope> value is a list of space-delimited, case sensitive strings. NEW: scope = "scope" "=" quoted-string error = "error" "=" quoted-string error-desc = "error_description" "=" quoted-string error-uri = "error_uri" "=" quoted-string Senders MUST NOT use the quoted-string escape mechanism for "scope", "error", "error_description", or "error_uri" values. That is, those values cannot include " or \. Receivers MAY use a standard quoted-string parser, and hence accept some values that are not allowed to be sent. An "error_uri" value MUST match the URI-reference rule from [RFC3986]. The "scope" value is a list of space-delimited, case sensitive strings. ... P.S. trivial typo: "URI-Reference" should be "URI-reference" in ยง1.1. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth