> -----Original Message----- > From: Manger, James H [mailto:james.h.man...@team.telstra.com] > Sent: Thursday, November 25, 2010 3:52 PM > To: Eran Hammer-Lahav; OAuth WG > Subject: RE: ABNF in draft 11 > > This is better. > > <scope> is not quite correct as the right-hand side is not quite a subset of > <quoted-string> since <quoted-char> allows "\" as a character, instead of > treating it as an escape character. > Option 1: remove "\" from <quoted-char> > Option 2: define <scope> as <"scope" "=" quoted-string>, and in the > following paragraph say the "scope" attribute is a space-separated list of > individual scope values -- more precisely, individual scope values are > separated by <RWS> (and consequently cannot contain <RWS>). > > I prefer option 2.
I'm not sure about this yet. I'll leave it and talk to some ABNF gurus. > > "WWW-Authenticate: OAuth2" is not strictly valid because it doesn't have a > space <RWS> after the scheme. > RFC2617 and draft-ietf-httpbis-p7-auth-12 actually uses <1*SP>, instead of > <RWS> in the generic definition of <challenge>. > > Option 3: <challenge = "OAuth2" 1*SP 1#param> > Add realm to <param>; add back paragraph saying the mandatory > "realm" attribute allows protected resources on a server to be partitioned, as > specified in RFC2617. Don't bother with any extra explanation. > > Option 4: <challenge = "OAuth2" [ 1*SP #param ]> > Add a paragraph explicitly saying this scheme does not quite obey > the > generic rules for schemes defined in RFC2617 because it does not require a > "realm" parameter or, in fact, any parameters. > > I prefer option 4, despite believing "realm" has some value. Most servers will > have a single protection space (=realm), plus NTLM and Negotiate schemes > already omit "realm", so I think disobeying RFC2617 here is ok (and fixing > draft-ietf-httpbis-p7-auth-12). Nah, I'll just open a ticket against p7 to fix it there. > > <URI-Reference> should be > <URI-reference> Thanks. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
