Eran,

Is then any reason to pick this collection of ASCII characters?
An access token appears in JSON, URI fragments, URI query parameters, and HTTP 
header values. The allowed set includes chars that need escaping in all of 
these. However, it is still a very limited set of 94 chars. It excludes spaces, 
non-ASCII Unicode etc.

This looks like the worst of all worlds. Everyone handling a token has to worry 
about escaping in every situation, but even that isn't enough to support 
arbitrary text or binary tokens. There will need to be escaping mechanisms to 
fit native tokens into the OAuth <access-token> production, then separate 
escaping to transport it.

Why not restrict <access-token> to a URI-safe alphabet (eg the 66 <unreserved> 
chars: A-Z a-z 0-9 - _ . ~).
If you have a binary token there is a simple approach: base64url-encode it.
If you have a text token there is a simple approach: base64url-encode its UTF-8 
encoding.
If you have a little bit of structure in a token there are a couple of 
punctuation chars available to separate the components.

Allowing ( ) " \ = but without their usual meaning (as comments, quoting, 
escaping, and separating) looks certain to cause confusion.

-- 
James Manger



-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran 
Hammer-Lahav
Sent: Monday, 12 July 2010 1:19 PM
To: m...@automattic.com; OAuth WG
Subject: Re: [OAUTH-WG] Authorization Header Format in draft-10

My bad. I forgot to update the ABNF for the parameters.

The right answer is 2 in the example below and the correct ABNF is:

  credentials    = "OAuth" RWS access-token RWS [ 1#auth-param ]
  access-token   = 1*( quoted-char / <"> )

  quoted-char    =   "!" / "#" / "$" / "%" / "&" / "'" / "("
                   / ")" / "*" / "+" / "-" / "." / "/" / DIGIT
                   / ":" / "<" / "=" / ">" / "?" / "@" / ALPHA
                   / "[" / "]" / "^" / "_" / "`" / "{" / "|"
                   / "}" / "~" / "\" / "," / ";"

This will be fixed in -11 (already in my github [1] copy which will continue
to change with pending -11 updates).

EHL

[1] http://github.com/theRazorBlade/draft-ietf-oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to