IETF Logo Mail Archive

[OAUTH-WG] nits about definition of using form parameters

Julian Reschke <julian.reschke@gmx.de> Tue, 12 June 2012 09:13 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3D4621F8503 for <oauth@ietfa.amsl.com>; Tue, 12 Jun 2012 02:13:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.241
X-Spam-Level:
X-Spam-Status: No, score=-103.241 tagged_above=-999 required=5 tests=[AWL=-0.642, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zXEM5i-44UJH for <oauth@ietfa.amsl.com>; Tue, 12 Jun 2012 02:13:05 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 77BEA21F853C for <oauth@ietf.org>; Tue, 12 Jun 2012 02:13:04 -0700 (PDT)
Received: (qmail invoked by alias); 12 Jun 2012 09:13:03 -0000
Received: from p54BB3983.dip.t-dialin.net (EHLO [192.168.178.36]) [84.187.57.131] by mail.gmx.net (mp031) with SMTP; 12 Jun 2012 11:13:03 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18mPy4gyqkme6AJkSzRyVcUxYB6ZEnSnlUjD2DUpU J5RA1bSIbxIWio
Message-ID: <4FD70812.6040108@gmx.de>
Date: Tue, 12 Jun 2012 11:12:50 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120604 Thunderbird/13.0
MIME-Version: 1.0
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Subject: [OAUTH-WG] nits about definition of using form parameters
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2012 09:13:05 -0000

Hi there,

re <http://tools.ietf.org/html/draft-ietf-oauth-v2-27#section-4.3.2>:

This needs a normative reference to a spec that defines the 
application/x-www-form-urlencoded media type (such as 
<http://www.w3.org/TR/html5/iana.html#application-x-www-form-urlencoded>).

Looking at the media type definition I don't see any mention of a 
charset parameter, so the example probably is wrong. See also 
<http://www.w3.org/TR/html5/form-submission.html#url-encoded-form-data>:

"Note: Parameters on the application/x-www-form-urlencoded MIME type are 
ignored. In particular, this MIME type does not support the charset 
parameter."

I would also advise to change

    The client makes a request to the token endpoint by adding the
    following parameters using the "application/x-www-form-urlencoded"
    format in the HTTP request entity-body:

    grant_type
          REQUIRED.  Value MUST be set to "password".
    username
          REQUIRED.  The resource owner username, encoded as UTF-8.
    password
          REQUIRED.  The resource owner password, encoded as UTF-8.
    scope
          OPTIONAL.  The scope of the access request as described by
          Section 3.3.

to


    The client makes a request to the token endpoint by sending the
    following parameters using the "application/x-www-form-urlencoded"
    format (Section 4.10.22.5 of [WD-html5-20120329]) and a
    character encoding of "UTF-8" in the HTTP request entity-body:

    grant_type
          REQUIRED.  Value MUST be set to "password".
    username
          REQUIRED.  The resource owner username.
    password
          REQUIRED.  The resource owner password.
    scope
          OPTIONAL.  The scope of the access request as described by
          Section 3.3.

Finally, it would be good if the example used characters that require 
escaping in the body, such as "&", "%", or non-ASCII characters.

(similar nits apply to other sections using form encoding)

Best regards, Julian

v2.23.0 | Report a Bug | By Email