Re: [OAUTH-WG] OMA Liaison Has Arrived! scope-v

Barry Leiba <barryleiba@computer.org> Thu, 18 August 2011 17:51 UTC

Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CA2121F893C for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 10:51:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.036
X-Spam-Level:
X-Spam-Status: No, score=-103.036 tagged_above=-999 required=5 tests=[AWL=-0.059, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G9b-CMut8DTG for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 10:51:43 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id CD43921F89A1 for <oauth@ietf.org>; Thu, 18 Aug 2011 10:51:38 -0700 (PDT)
Received: by yxj17 with SMTP id 17so327266yxj.31 for <oauth@ietf.org>; Thu, 18 Aug 2011 10:52:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=zPge0ZJMUbNMX8NV3Z2wMQL85w5QCZX8I3SQkoeUaDw=; b=fwjZZeGJZn9hrBt+rtIKMDuJz66I/mzZSdMoNqH2zDwhMXD0XHcLduLO+Ba5ZTeUIx gEBXj9YG+9hzU8NNen/rHflCY2weuvBj+H5ga4OIAOrJqIv7VgSuFturV+E69rbev3b7 Gb24nqF1GA98qT9dkxKvtRF553TGKRKQojsSI=
MIME-Version: 1.0
Received: by 10.236.200.195 with SMTP id z43mr5989845yhn.127.1313689953223; Thu, 18 Aug 2011 10:52:33 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.147.181.13 with HTTP; Thu, 18 Aug 2011 10:52:33 -0700 (PDT)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1128B5BB96C@WSMSG3153V.srv.dir.telstra.com>
References: <CAC4RtVCafc=sTUOZ0h7BtXZ2rmZGpZ5xRCrsP=0fHRh8kOF3Cg@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1128B5BB96C@WSMSG3153V.srv.dir.telstra.com>
Date: Thu, 18 Aug 2011 13:52:33 -0400
X-Google-Sender-Auth: uV0JNZbBEmTtjglS0bIrO1oKS9c
Message-ID: <CAC4RtVBGuRTnY6MC9WpV9aJmkMBmJexi2Tcjfqw5Fp6r4KLmyQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: "Manger, James H" <James.H.Manger@team.telstra.com>, Mike Jones <Michael.Jones@microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OMA Liaison Has Arrived! scope-v
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2011 17:51:45 -0000

The text for the answer below came from Mike, as the chairs asked for
at the IETF 81 meeting.  Mike, do you have a response to James's
issue?  Can we give a better response here?  Should the bearer doc
specify %-encoding explicitly?

Barry

On Thu, Aug 18, 2011 at 7:15 AM, Manger, James H
<James.H.Manger@team.telstra.com> wrote:
>>> *    For bearer tokens: clarification whether the non-support of percent
> encoding for scope-v element of WWW-Authenticate Response Header Field
> grammar is intentional.
>
>> Answer:
>> In the bearer token document (Section 2.4 of
>> draft-ietf-oauth-v2-bearer-08, "The WWW-Authenticate Response Header
>> Field"), the "scope-v" element is unambiguously defined to allow a
>> specific set of characters.  That set of characters does permit, but
>> does not mandate, support for percent-encoding of characters.
>
>
> This is a poor answer.
> A client app receiving a scope value in an "WWW-Authenticate: Bearer scope=..." response will either compare it with strings from a OAuth2 JSON-encoded token response, or copy it into a request to an authorization server. It needs to know if it needs to %-decode the value or not before doing these things. Clients cannot be expected to behave differently for different servers in this respect.
>
> OAuth2 core (implicitly) allows a scope to use any Unicode char except space (as space is used as a delimiter).
> Bearer restricts scopes to 93 ASCII chars.
> OMA are asking if this is intentional.
>
> If we really want to restrict scope values it would be better done in OAuth2 core.
> If we don't want to restrict values then the bearer spec needs to be able to handle any possible scope value by defining an escaping mechanism for scope-v (or by not having a scope parameter).
>
> --
> James Manger