Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?

Julian Reschke <> Sun, 01 January 2012 19:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6961811E8081 for <>; Sun, 1 Jan 2012 11:15:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.866
X-Spam-Status: No, score=-103.866 tagged_above=-999 required=5 tests=[AWL=-1.267, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OuhO7EnjiQ08 for <>; Sun, 1 Jan 2012 11:15:09 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 77D1111E8073 for <>; Sun, 1 Jan 2012 11:15:09 -0800 (PST)
Received: (qmail invoked by alias); 01 Jan 2012 19:15:08 -0000
Received: from (EHLO []) [] by (mp061) with SMTP; 01 Jan 2012 20:15:08 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18XtMFoyywXUAMtxRUJA9JEQJie+9bLz2dJTP8cuU etFoo5spexczsV
Message-ID: <>
Date: Sun, 01 Jan 2012 20:15:02 +0100
From: Julian Reschke <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Mike Jones <>
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Mark Nottingham <>, Barry Leiba <>, OAuth WG <>
Subject: Re: [OAUTH-WG] auth-param syntax, was: OK to post OAuth Bearer draft 15?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 01 Jan 2012 19:15:10 -0000

On 2011-12-31 20:40, Mike Jones wrote:
> Maybe I misunderstood your position.  If you agree that '\' may not occur in the INPUT string, then that issue can be closed.  That was the working group consensus position, per the cited e-mails.  I thought that you were arguing that syntax restrictions on the parameters should only be placed upon the OUTPUT string - which forces all implementations to support unnecessary encodings like "\a\b\c" for "abc".  Please let me know whether you're fine with the working group prohibiting the use of '\' in the input string as the spec presently currently does.

I'm not ok with that; because it's totally besides the point.

A recipient of WWW-Authenticate needs to use a proper parser for that 
header field. And if you use a proper parser, it doesn't matter.

I'm not saying anybody should send something like that. What I'm saying 
is that you shouldn't create an illusion that a recipient doesn't need 
to deal with it.

A recipient that can't handle quoted-string syntax in auth-params is 
broken. A recipient that can't handle token syntax in auth-params is 
broken as well.

Finally, please re-read what I said: the syntax of the challenge is 
defined by HTTP. The bearer spec can't change the parsing rules, because 
you need a generic parser to properly handle header fields containing 
multiple challenges. Once that generic parser has done it's job, it 
should not matter anymore whether a value used the token syntax or the 
quoted-string syntax, and also it shouldn't matter anymore where 
unescaping has taken place or not.

What you're trying to do is comparable with defining an XML vocabulary 
where you profile how an attribute is serialized (' vs  ", character 
encoding, escaping). Don't.

Best regards, Julian