Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10

Mike Jones <> Thu, 20 October 2011 15:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E465E21F8C2D for <>; Thu, 20 Oct 2011 08:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.098
X-Spam-Status: No, score=-10.098 tagged_above=-999 required=5 tests=[AWL=0.501, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZRGaOH1ubj7T for <>; Thu, 20 Oct 2011 08:33:33 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 648E621F8C1E for <>; Thu, 20 Oct 2011 08:33:33 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 20 Oct 2011 08:33:33 -0700
Received: from ([]) by ([]) with mapi id 14.01.0339.002; Thu, 20 Oct 2011 08:33:32 -0700
From: Mike Jones <>
To: Julian Reschke <>
Thread-Topic: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10
Thread-Index: AcyOuBvrce+R9JZJS5GdKjqOZuv3GwAekJcAAA6gPVD//5G+AIAAdPAw//+S9AD///kYEA==
Date: Thu, 20 Oct 2011 15:33:32 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Oct 2011 15:33:34 -0000

By design, implementations can use existing quoted-string parsers, as these accept and correctly process all legal scope values.

The spec is silent on what to do with illegal values, such as those containing \ or those not surrounded by ".  Conforming implementations will not produce such values, and so there's no actual problem in practice, whether you use an off-the-shelf parameter parser or one specific to the Bearer scheme.

Thanks for sweating the details, by the way.  The spec is better for it.

				Best wishes,
				-- Mike

-----Original Message-----
From: Julian Reschke [] 
Sent: Thursday, October 20, 2011 1:05 AM
To: Mike Jones
Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10

On 2011-10-20 09:41, Mike Jones wrote:
> Your proposed wording for 2.4 misses the point:  \ MUST NOT occur at all in the input string.  No quoting may occur.
 > ...

No, it doesn't miss the point.

You need to tell implementers whether they can use a quoted-string processor. Those processors will accept all the values you want to support, plus values that contain "\c" (representing "c"). Is this ok, or are recipients supposed to reject these values?

Furthermore, it's not clear what recipients are supposed to do with values that are not quoted, for instance for scope. The ABNF makes them illegal, but I promise you that many recipients will accept them nevertheless (unless you manage them to become draconian using a very good test suite).

See <> for a test case checking this for the realm parameter. It's already bad for many existing headers, please let's do things right with new ones.

Best regards, Julian