Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions

[Mike Jones <Michael.Jones@microsoft.com>]

As Eran wrote on 9/30, "The fact that the v2 spec allows a wide range of characters in scope was unintentional. The design was limited to allow simple ASCII strings and URIs."

				-- Mike

-----Original Message-----
From: Julian Reschke [mailto:julian.reschke@gmx.de] 
Sent: Sunday, October 16, 2011 3:44 AM
To: Mike Jones
Cc: Tschofenig, Hannes (NSN - FI/Espoo); Hannes Tschofenig; OAuth WG
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed Resolutions

On 2011-10-16 07:12, Mike Jones wrote:
> In your note yesterday summarizing our proposed issue resolutions, you wrote "The scope field is yet another item that will not be shown to the user and it serves the purpose of an identifier for authorization comparison. So, we don't need to have any internationalization support here either."
>
> I'm therefore confused by your note below, Hannes, as it seems to me 
> to contradict both your statement above.  In particular, there's no 
> need for Unicode encodings when internationalization isn't required.  
> ASCII characters are fine for representing machine-readable scope 
> elements that will never be displayed to users.  That's the approach 
> I'm taking in draft 10.  (And indeed, EVERY draft of the bearer token 
> spec has specified only ASCII characters, so this is nothing new...)

Confused we are :-)

The core spec doesn't restrict what can be in a scope (looking at <https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3>).

Also, you wrote earlier on:

 > Any strings that the Authorization Server chooses to define meanings for



Best regards, Julian