Eran, Is then any reason to pick this collection of ASCII characters? An access token appears in JSON, URI fragments, URI query parameters, and HTTP header values. The allowed set includes chars that need escaping in all of these. However, it is still a very limited set of 94 chars. It excludes spaces, non-ASCII Unicode etc.
This looks like the worst of all worlds. Everyone handling a token has to worry about escaping in every situation, but even that isn't enough to support arbitrary text or binary tokens. There will need to be escaping mechanisms to fit native tokens into the OAuth <access-token> production, then separate escaping to transport it. Why not restrict <access-token> to a URI-safe alphabet (eg the 66 <unreserved> chars: A-Z a-z 0-9 - _ . ~). If you have a binary token there is a simple approach: base64url-encode it. If you have a text token there is a simple approach: base64url-encode its UTF-8 encoding. If you have a little bit of structure in a token there are a couple of punctuation chars available to separate the components. Allowing ( ) " \ = but without their usual meaning (as comments, quoting, escaping, and separating) looks certain to cause confusion. -- James Manger -----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Monday, 12 July 2010 1:19 PM To: m...@automattic.com; OAuth WG Subject: Re: [OAUTH-WG] Authorization Header Format in draft-10 My bad. I forgot to update the ABNF for the parameters. The right answer is 2 in the example below and the correct ABNF is: credentials = "OAuth" RWS access-token RWS [ 1#auth-param ] access-token = 1*( quoted-char / <"> ) quoted-char = "!" / "#" / "$" / "%" / "&" / "'" / "(" / ")" / "*" / "+" / "-" / "." / "/" / DIGIT / ":" / "<" / "=" / ">" / "?" / "@" / ALPHA / "[" / "]" / "^" / "_" / "`" / "{" / "|" / "}" / "~" / "\" / "," / ";" This will be fixed in -11 (already in my github [1] copy which will continue to change with pending -11 updates). EHL [1] http://github.com/theRazorBlade/draft-ietf-oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
