Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-08.txt

In the bearer token spec, Section 2.4 (The WWW-Authenticate Response Header Field), scope is unambiguously defined to permit these characters:

   scope           = "scope" "=" <"> scope-v *( SP scope-v ) <">
   scope-v         = 1*quoted-char

   quoted-char     = ALPHA / DIGIT /
                     "!" / "#" / "$" / "%" / "&" / "'" / "(" / ")" /
                     "*" / "+" / "-" / "." / "/" / ":" / "<" / "=" /
                     ">" / "?" / "@" / "[" / "]" / "^" / "_" / "`" /
                     "{" / "|" / "}" / "~" / "\" / "," / ";"

I misspoke in the meeting thinking that this definition was also in the core spec.  I believe that it used to be there, but apparently it has been removed.  There it just says that "The scope of the access request expressed as a list of space-delimited, case sensitive strings."

This set of characters does permit, but does not mandate, support for percent-encoding of characters.

				-- Mike

-----Original Message-----
From: MARCON, JEROME (JEROME) [mailto:jerome.marcon@alcatel-lucent.com] 
Sent: Wednesday, July 27, 2011 7:53 AM
To: Mike Jones; oauth@ietf.org
Subject: RE: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-08.txt

Mike,

Regarding the allowed characters for scope values (grammar of "scope-v"), is the non-support of percent encoding intentional ? That would preclude scope values to be (every kind of) UTF-8 strings, or URNs, or JSON (short) payload, etc.

This character set limitation does not exist in the core spec, wherever scope parameter can be included in a request or response, either because percent encoding is usable, or else because scope parameter is a JSON string.

It seems besides strange that the set of characters safe to use for scope values is not defined in the core spec, and instead is constrained by/dependent from the type of access token used (here, bearer token).

Note that this question was raised also by the Liaison Statement received from the Open Mobile Alliance.

Best regards,
Jerome

-----Message d'origine-----
De : oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] De la part de Mike Jones Envoyé : mercredi 27 juillet 2011 15:47 À : oauth@ietf.org Objet : Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-08.txt

Updated references to oauth-v2 and httpbis.

				-- Mike

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of internet-drafts@ietf.org
Sent: Wednesday, July 27, 2011 6:45 AM
To: i-d-announce@ietf.org
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-08.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF.

	Title           : The OAuth 2.0 Protocol: Bearer Tokens
	Author(s)       : Michael B. Jones
                          Dick Hardt
                          David Recordon
	Filename        : draft-ietf-oauth-v2-bearer-08.txt
	Pages           : 17
	Date            : 2011-07-27

   This specification describes how to use bearer tokens when accessing
   OAuth 2.0 protected resources.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-08.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-08.txt
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth