Issue #26 http://trac.tools.ietf.org/wg/oauth/trac/ticket/26 asks whether the
semantics of scope strings should be changed to require that the % character be
interpreted as introducing a percent-encoded character that follows. My
proposed resolution is that %-encoding not be required in the specification;
therefore no textual change would be made to the specification in response to
this issue. The reasoning behind this resolution is as follows:
1. Interpretation of scope strings already requires semantic agreement on the
meaning of the scope strings between the parties participating the OAuth flow.
Should an encoding be used for scope strings in a particularly deployment
context, it is reasonable for participants to have agreed upon that encoding,
just as they agree on other OAuth configuration parameters.
2. More than one encoding methodology could reasonably be employed in scope
strings. For instance, base64url encoding of scope values could be used in
some contexts. Quoting characters with '\' is another possibility. I see no
compelling reason to mandate %-encoding over other potential encoding methods.
3. Mandating %-encoding unnecessarily complicates implementations without
providing a clear compensating benefit sufficient warrant the additional
complexity. For example, it seems unnecessary to mandate that the scope
strings "email" and "%65mail" MUST compare as being equal in all
implementations.
4. If an encoding methodology for scope strings is mandated, this should be
done in the OAuth Core specification - not the OAuth Bearer Token specification.
5. I am aware of no existing practice that utilizes %-encoding of scope values.
-- Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
