Re: [OAUTH-WG] Basic questions about using the HTTP Authorization header
Andrew Arnott <andrewarnott@gmail.com> Sun, 11 July 2010 05:41 UTC
Return-Path: <andrewarnott@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E887528C0CF for <oauth@core3.amsl.com>; Sat, 10 Jul 2010 22:41:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yt4SLM04wg2 for <oauth@core3.amsl.com>; Sat, 10 Jul 2010 22:41:33 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 05F323A6774 for <oauth@ietf.org>; Sat, 10 Jul 2010 22:41:31 -0700 (PDT)
Received: by pvd12 with SMTP id 12so1696869pvd.31 for <oauth@ietf.org>; Sat, 10 Jul 2010 22:41:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=NlAs2TI72HINu0b8rz2aJfh87ICthZdGhiKw10Y1o6Q=; b=Y16vtTCpZsihcFla46W9vX5evsrlWUR/CLB8VdbHMErh9x4qmG9qmB+k3VW6RYdkEz MSSerk52UkNjG5K6jXl2x8NipNV2fObmhy9L2/wGCdlsTf7YRh1zBeujhUm1dnDh3HDt x5ecCyqSOIy9DyIzipVZxQDFJ2Y+w8SxShRqU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=BCx6PFAFxuwjtxCppQg3ZSL/+IHJE9Nmn6zGE9KmAv+R8MAUUD818MLn+BWiwrBKGN mhQTBVS2/PrzMbsmavsrYskaUbY+EoifauRkbCKjESZnrLXNqscmc5oMVCA8clTBAZMY GsAYPy14dQ8dLhXobptjJCikmrchtSdNHzwxs=
MIME-Version: 1.0
Received: by 10.114.108.15 with SMTP id g15mr14060637wac.35.1278826895868; Sat, 10 Jul 2010 22:41:35 -0700 (PDT)
Received: by 10.114.153.10 with HTTP; Sat, 10 Jul 2010 22:41:35 -0700 (PDT)
In-Reply-To: <012AB2B223CB3F4BB846962876F47217059B6711@SNV-EXVS08.ds.corp.yahoo.com>
References: <AANLkTilHhGQvsuvxfFF1e6zhOL7ldiqCHlrbuX47KBPV@mail.gmail.com> <012AB2B223CB3F4BB846962876F47217059B6711@SNV-EXVS08.ds.corp.yahoo.com>
Date: Sat, 10 Jul 2010 22:41:35 -0700
Message-ID: <AANLkTil3IQ7JloXmFeh_wydfAtkrhNADUhqjj_cqVOh2@mail.gmail.com>
From: Andrew Arnott <andrewarnott@gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="00163646b7eadb8219048b161689"
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Basic questions about using the HTTP Authorization header
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jul 2010 05:41:36 -0000
Eran, Is the draft 10 spec going to outline what characters are allowed in the access token? And if not (or if all characters are allowed), is it going to include details about (or a reference to a doc about) how to properly escape the access token when specifying it in the HTTP Authorization header? Thanks. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Sat, Jun 26, 2010 at 9:42 AM, William Mills <wmills@yahoo-inc.com> wrote: > I don't remember where I found it before, but OWS is Optional White > Space, and RWS is Required White Space. There is also no BNF to define > access_token or refresh_token. > > For this spec to be implementable "all this stuff" has to be explicitly > defined.... > > > ------------------------------ > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf > Of *Andrew Arnott > *Sent:* Saturday, June 26, 2010 7:03 AM > *To:* OAuth WG (oauth@ietf.org) > *Subject:* [OAUTH-WG] Basic questions about using the HTTP Authorization > header > > Can anyone point me to good reference material for understanding the > Authorization header in Section 5.1 of the OAuth 2.0 draft 8 spec<http://tools.ietf.org/id/draft-ietf-oauth-v2-08.html#authz_header> and > the WWW-Authenticate section 6? > > Specifically, some questions I have are: > > 1. How to properly escape the access token for inclusion in the header? > (suppose a linefeed or null character were in the token... how to escape > that?) > 2. What do RWS and OWS stand for? > 3. What is the "realm" value? Is the "service" string that is always > set as its value a literal, or a placeholder? What are some actual values > that might appear? > > I'm sure there's an RFC out there that describes all this stuff. RFC 2617 > is mentioned as a source for some of this, but "RWS" doesn't show up > anywhere in that RFC, for example, so I'm not sure where the best place is > to look this up in. > > Thanks. > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > >
- [OAUTH-WG] Basic questions about using the HTTP A… Andrew Arnott
- Re: [OAUTH-WG] Basic questions about using the HT… William Mills
- Re: [OAUTH-WG] Basic questions about using the HT… Andrew Arnott
- Re: [OAUTH-WG] Basic questions about using the HT… Brian Eaton