On 2011-09-28 05:50, Manger, James H wrote:
I'll have another go trying to explain the problem I see with the scope 
parameter in the Bearer spec.

Consider a French social network that decides to offer an API using OAuth2. It 
chooses 3 scope values for parts of the API related to family, friends, and 
business colleagues:
* "famille"
* "ami"
* "collègues"
Let's focus on the last scope.

The site describes the scope and its semantics in HTML developer docs. That 
works.
   <dt>coll&#xE8;gues</dt><dd>...</dd>

Client apps construct authorization URIs to which users are sent. That works.
   https://example.fr/authz?scope=coll%C3%A8gues...
...

Wait a minute. This only works if the spec explicitly states that non-ASCII characters need to be UTF-8 encoded before escaping (this is not part of "application/x-www-form-urlencoded".

Best regards, Julian

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to