Re: [OAUTH-WG] OMA Liaison Has Arrived! scope-v

Barry Leiba <> Thu, 18 August 2011 17:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3CA2121F893C for <>; Thu, 18 Aug 2011 10:51:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.036
X-Spam-Status: No, score=-103.036 tagged_above=-999 required=5 tests=[AWL=-0.059, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id G9b-CMut8DTG for <>; Thu, 18 Aug 2011 10:51:43 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CD43921F89A1 for <>; Thu, 18 Aug 2011 10:51:38 -0700 (PDT)
Received: by yxj17 with SMTP id 17so327266yxj.31 for <>; Thu, 18 Aug 2011 10:52:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=zPge0ZJMUbNMX8NV3Z2wMQL85w5QCZX8I3SQkoeUaDw=; b=fwjZZeGJZn9hrBt+rtIKMDuJz66I/mzZSdMoNqH2zDwhMXD0XHcLduLO+Ba5ZTeUIx gEBXj9YG+9hzU8NNen/rHflCY2weuvBj+H5ga4OIAOrJqIv7VgSuFturV+E69rbev3b7 Gb24nqF1GA98qT9dkxKvtRF553TGKRKQojsSI=
MIME-Version: 1.0
Received: by with SMTP id z43mr5989845yhn.127.1313689953223; Thu, 18 Aug 2011 10:52:33 -0700 (PDT)
Received: by with HTTP; Thu, 18 Aug 2011 10:52:33 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Thu, 18 Aug 2011 13:52:33 -0400
X-Google-Sender-Auth: uV0JNZbBEmTtjglS0bIrO1oKS9c
Message-ID: <>
From: Barry Leiba <>
To: "Manger, James H" <>, Mike Jones <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "" <>
Subject: Re: [OAUTH-WG] OMA Liaison Has Arrived! scope-v
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Aug 2011 17:51:45 -0000

The text for the answer below came from Mike, as the chairs asked for
at the IETF 81 meeting.  Mike, do you have a response to James's
issue?  Can we give a better response here?  Should the bearer doc
specify %-encoding explicitly?


On Thu, Aug 18, 2011 at 7:15 AM, Manger, James H
<> wrote:
>>> *    For bearer tokens: clarification whether the non-support of percent
> encoding for scope-v element of WWW-Authenticate Response Header Field
> grammar is intentional.
>> Answer:
>> In the bearer token document (Section 2.4 of
>> draft-ietf-oauth-v2-bearer-08, "The WWW-Authenticate Response Header
>> Field"), the "scope-v" element is unambiguously defined to allow a
>> specific set of characters.  That set of characters does permit, but
>> does not mandate, support for percent-encoding of characters.
> This is a poor answer.
> A client app receiving a scope value in an "WWW-Authenticate: Bearer scope=..." response will either compare it with strings from a OAuth2 JSON-encoded token response, or copy it into a request to an authorization server. It needs to know if it needs to %-decode the value or not before doing these things. Clients cannot be expected to behave differently for different servers in this respect.
> OAuth2 core (implicitly) allows a scope to use any Unicode char except space (as space is used as a delimiter).
> Bearer restricts scopes to 93 ASCII chars.
> OMA are asking if this is intentional.
> If we really want to restrict scope values it would be better done in OAuth2 core.
> If we don't want to restrict values then the bearer spec needs to be able to handle any possible scope value by defining an escaping mechanism for scope-v (or by not having a scope parameter).
> --
> James Manger