On Mon, Apr 19, 2010 at 11:14 AM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > >> -----Original Message----- >> From: Marius Scurtescu [mailto:mscurte...@google.com] >> Sent: Monday, April 19, 2010 11:04 AM >> To: Eran Hammer-Lahav >> Cc: OAuth WG >> Subject: Re: [OAUTH-WG] 'Scope' parameter proposal >> >> On Mon, Apr 19, 2010 at 9:25 AM, Eran Hammer-Lahav >> <e...@hueniverse.com> wrote: >> > Proposal: >> > >> > 'scope' is defined as a comma-separated list of resource URIs or >> > resource groups (e.g. contacts, photos). >> >> How will commas in URIs be escaped? We just forbid them? >> >> If the scope elements are URIs then a space separated list is much safer, >> URIs >> cannot contain spaces. > > Yep. I noted that in my proposal. > >> But, I still don't see the point on trying to define the scope structure. > > The same point in defining any other parameter - interop. I still haven't > heard an argument for not defining it. By definition everything we add to the > spec is meant to increase interop and should be well specified.
How does defining the scope structure help interop? There was a good argument why not define it. Getting everyone to agree on one definition can be hard, and you cannot be sure everyone was consulted. There are lots of service providers out there that use scopes today. Are we sure that a space separated list of URIs will work for all of them? > If you want to leave someone under specified, the burden is on your to argue > why, not on me to argue for it. When you wanted to leave scopes out altogether, you wanted proof they are needed :-) I did a proof of concept implementation, with client, server and protected resource support libraries, and the scope structure was never an issue. Actual client, server and resource code, does need to deal with scopes, but this is not the generic code that would go into a library. I do agree that it would be nice to have a defined structure for scopes, I just don't think it is that important and that it is hard to get right. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
