On 2011-09-28 05:50, Manger, James H wrote:
I'll have another go trying to explain the problem I see with the scope
parameter in the Bearer spec.
Consider a French social network that decides to offer an API using OAuth2. It
chooses 3 scope values for parts of the API related to family, friends, and
business colleagues:
* "famille"
* "ami"
* "collègues"
Let's focus on the last scope.
The site describes the scope and its semantics in HTML developer docs. That
works.
<dt>collègues</dt><dd>...</dd>
Client apps construct authorization URIs to which users are sent. That works.
https://example.fr/authz?scope=coll%C3%A8gues...
...
Wait a minute. This only works if the spec explicitly states that
non-ASCII characters need to be UTF-8 encoded before escaping (this is
not part of "application/x-www-form-urlencoded".
Best regards, Julian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
