> We will need to choose an encoding method for the header values Not if we restrict the allowed chars in tokens to a very safe set of ~64 chars.
> and percent-encoding seems to make the most sense It makes sense in URIs. In HTTP headers, however, I think it is more novel. There are quoted strings, \-escapes for a few chars, and some strange beast that does use %-encoding but not in double quotes and with a charset label. > (though unlike OAuth 1.0, we will not detail the encoding function). > Base64-ed values are hard to debug. Debugging pesky %-escapes in base64 is annoying. That can be avoided by specifying the base64-url encoding without '=' terminators. If a party wants to represent an arbitrary byte array... that's easy: apply the base64-url encoding without '=' terminators to the bytes If a party wants to represent an arbitrary Unicode string... that's easy: apply the base64-url encoding without '=' terminators to the UTF-8 encoding -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
