Re: [OAUTH-WG] OMA Liaison Has Arrived! scope-v

"William J. Mills" <> Thu, 18 August 2011 18:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6148521F8B01 for <>; Thu, 18 Aug 2011 11:08:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.314
X-Spam-Status: No, score=-17.314 tagged_above=-999 required=5 tests=[AWL=0.284, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LDD9qL2+F8DS for <>; Thu, 18 Aug 2011 11:08:47 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 1FA5121F8AF9 for <>; Thu, 18 Aug 2011 11:08:47 -0700 (PDT)
Received: from [] by with NNFMP; 18 Aug 2011 18:09:41 -0000
Received: from [] by with NNFMP; 18 Aug 2011 18:09:41 -0000
Received: from [] by with NNFMP; 18 Aug 2011 18:09:41 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 10083 invoked by uid 60001); 18 Aug 2011 18:09:41 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ginc1024; t=1313690981; bh=/PMNUPMberi487p0L/vHgMzjK0WZhFEoaVTN/j6bE24=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=XmtrsiWaf9n+cg0vsLVh4sb7BJG7cRAwg0Bk/gOrOgiVJXvkwh4PkkhCChFg/k6SNVab1R+onlKVB1O3nR1HNs3ciDMad1IEs6LfH7mjJU6da8u/rBa2rb+dS6b2TzwxisGI9UCGkNrc66ih9YAGK35/J0HVJnY28sMwukmrcBc=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024;; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=iBc4WivFqxQOjrRzOapFM4ck6xM+ejsjjJXTe4bP58VsiE+WVpmqCb6jRXZaGra3ZHoxe/COvskIPU6dKF561zf3/gUC8/jtoOHMZicTNBozcWJvZFkuIYF3qHtAO/s6fOb9zu5BJgJCDAfg+8+pW3W/XuZEIKIKCanmhKXkiUY=;
X-YMail-OSG: WH0wWT8VM1khud8doPRXFc8n5kkyUkYk1kL0MVrBa9PfdEq WBKL5KkWxivu9Xlhox4z0jHXJCIEBIiLCYT5YTnVAIsZFhQr1EVi._EIOKvX T410vpeMDqCjIgg4K0veOzhtOQvAfbY5o6uViXYOEEAEpRCbXx5kbUA0zdHI HsojKjiueVcOZ0XMWHEuFBoHEAaaXX0FR_xW6cQtGNFVySnIgDN3OllFsPge lf1HdywIp1g.YrHlAOwB7ROqSsrbhSAMz9FHN5Nc2n59F341J5QyFMmiFKvd 0vHGkeNASEORUEcGBhFooLsh9kkHf8SufHlKWovnarO7mtH0g2dlZshrt96z a565dXohGbUK4iSBJjv1ejXXzprNNSHhDT36X6wyvOcdC4ZL_5CFYZvVlyRv ZcqInyiJ19ZyaU5KUkzeF2sX6GkakKU.KTvQ07OdQ79Jpa7w-
Received: from [] by via HTTP; Thu, 18 Aug 2011 11:09:41 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/
References: <> <>
Message-ID: <>
Date: Thu, 18 Aug 2011 11:09:41 -0700
From: "William J. Mills" <>
To: "Manger, James H" <>, Barry Leiba <>, "" <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-707943344-1313690981=:82232"
Subject: Re: [OAUTH-WG] OMA Liaison Has Arrived! scope-v
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Aug 2011 18:08:48 -0000

+1 for Jame's feedback here.  We need to solve this.

From: "Manger, James H" <>
To: Barry Leiba <>; "" <>
Sent: Thursday, August 18, 2011 4:15 AM
Subject: Re: [OAUTH-WG] OMA Liaison Has Arrived! scope-v

>> *    For bearer tokens: clarification whether the non-support of percent
encoding for scope-v element of WWW-Authenticate Response Header Field
grammar is intentional.

> Answer:
> In the bearer token document (Section 2.4 of
> draft-ietf-oauth-v2-bearer-08, "The WWW-Authenticate Response Header
> Field"), the "scope-v" element is unambiguously defined to allow a
> specific set of characters.  That set of characters does permit, but
> does not mandate, support for percent-encoding of characters.

This is a poor answer.
A client app receiving a scope value in an "WWW-Authenticate: Bearer scope=..." response will either compare it with strings from a OAuth2 JSON-encoded token response, or copy it into a request to an authorization server. It needs to know if it needs to %-decode the value or not before doing these things. Clients cannot be expected to behave differently for different servers in this respect.

OAuth2 core (implicitly) allows a scope to use any Unicode char except space (as space is used as a delimiter).
Bearer restricts scopes to 93 ASCII chars.
OMA are asking if this is intentional.

If we really want to restrict scope values it would be better done in OAuth2 core.
If we don't want to restrict values then the bearer spec needs to be able to handle any possible scope value by defining an escaping mechanism for scope-v (or by not having a scope parameter).

James Manger

OAuth mailing list