Re: [OAUTH-WG] WWW-Authenticate Header (Bearer etc.)

William Mills <> Wed, 25 January 2012 19:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4FA7D21F860B for <>; Wed, 25 Jan 2012 11:24:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.298
X-Spam-Status: No, score=-17.298 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pYgOD8UIWocZ for <>; Wed, 25 Jan 2012 11:24:32 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 46BC521F8605 for <>; Wed, 25 Jan 2012 11:24:32 -0800 (PST)
Received: from [] by with NNFMP; 25 Jan 2012 19:24:27 -0000
Received: from [] by with NNFMP; 25 Jan 2012 19:24:27 -0000
Received: from [] by with NNFMP; 25 Jan 2012 19:24:27 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 17572 invoked by uid 60001); 25 Jan 2012 19:24:26 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ginc1024; t=1327519466; bh=Y4MvBIo6vm4Qmm7Oy9M0y6tB1zsE+huNH73A3GAM80I=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=phyyi01TG0sug9yUQQQHT+jSa8GuGjytTpv0GgnL5cMBtDt6pvLCyqIeI/RIQcGIZtzNx4/U96jqt0ulH98qces9V3LTPRnG/5CQKU8KOaI2mmzvmnPr1doH2gDUE0pZK94dM8i4gFCoF7HVsXtncU4AMkhRqtX1o0lvhZIBBkI=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024;; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=CMqLcbTCgLfxiaH3ma8/hHa2gnQatwO13/KMpgZryA5MopOc+DbbZMRfoyzUceY9xnqyZJlp4mnlxqHWcxlryo6ykjNMcCvxlQdcJrKNMmouUZj2zQWCgvXQlwtafTW2ZTaGe8lv8x927FJCrZfBMJxTOJvqEy5nlGv+14vM75Y=;
X-YMail-OSG: Jb13LHYVM1k5Gj9eyBpcwDzwBenMcqjFbN_tzq6FiLledNg BYhq1jXVmkbEcg9fO7OQGQiJ8Msw_oYlhDiVPxxMqTYgDD46MFkNLN5RjGit th.5GK9PswBVkV73JvxynfVbM2Gyb5YY27LOwXXVHylD3a0O.katLhx4Gz4w LpM.nYjd4OGTyGW6TISGAvp00JYKD4Dl8gia9CM4D8U9A5QmmCCuWL8E4moP n.CcaTnzK3dRu9B.G.N0Ofu7GV.mGzrq8M7AesNdpjwytgeG8dYknRQqQDvu qUi8z5cOuABwHuGhFllIswZuQHQ_kcEDuXK3v4H4MWUQl346mzaRnKaMx6zC zJcw1fnR8N_8KdLunCh4iAVGcDX06gZsLXGofzbd9opuKqpixhhkvGTNA0fM UHkLSVhS1MJSyngq2ssCLlNAbT2QNIG.ExvUJPuB6skbxh2PdMg--
Received: from [] by via HTTP; Wed, 25 Jan 2012 11:24:26 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/
References: <>
Message-ID: <>
Date: Wed, 25 Jan 2012 11:24:26 -0800
From: William Mills <>
To: Eran Hammer <>, "" <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="767760015-650303615-1327519466=:90783"
Subject: Re: [OAUTH-WG] WWW-Authenticate Header (Bearer etc.)
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Jan 2012 19:24:33 -0000

Thanks, that's a good explanation.

 From: Eran Hammer <>
To: "" <> 
Sent: Wednesday, January 25, 2012 10:12 AM
Subject: [OAUTH-WG] WWW-Authenticate Header (Bearer etc.)

People seems confused about the issue raised by Julian. It is pretty simple.

The HTTP WWW-Authenticate header definition allows each header parameter to have a quoted string or token value. Token values are very restrictive and not suitable for scope (no spaces, etc.). Quoted strings allow a wider set of characters at the cost of requiring escaping for " and \.

The WG decided that in order to avoid escaping, we will restrict scope values to only those characters legal in quotes string without escaping. This change was made in –23.

The issue here is different.

The WWW-Authenticate header isn't OAuth-specific and it allows the server to declare more than one scheme. For example:

WWW-Authenticate: Bearer realm="xyz", Basic realm="123"

This is how HTTP works and this WG doesn't get to change it. The problem is that the bearer token specification is changing the *general* definition of the WWW-Authenticate header to only use quoted strings and not tokens. This is wrong.

It is true that a *generic* parser will be able to parse a bearer token header without any issues. But a parser written specifically for the bearer token use case will most likely fail when parsing the WWW-Authenticate header with other schemes.

OAuth must not define its own WWW-Authenticate handing logic. It should opt into the HTTP framework without any modifications. It is perfectly fine to restrict values and by doing so, we made servers simpler by not having to ever encode scopes but we cannot try to simplify client code by "profiling" HTTP.

My view has not changed and trying to portray it in this fashion shows ignorance of the issue. I supported restricting the character set of scopes. I am against changing the HTTP definition of WWW-Authenticate.


OAuth mailing list