On 2011-10-14 17:52, Julian Reschke wrote:
On 2011-10-14 17:42, Mike Jones wrote:
Thanks for the useful discussion and the write-up, Hannes. For context,
Hannes and I discussed how to resolve the remaining Bearer spec issues
in a manner that meets the needs of implementations and will not
generate objections during the IESG or IETF Last Call reviews. A few
additional comments…

1. Error Description – Nothing to add to Hannes’ write-up.

2. Scope – I was planning to allow a broader set of ASCII characters
than the “token” set, as these characters are inadequate for the use of
URIs/URLs as scope elements. In particular, scope elements need to
permit the full sets of “reserved”
<http://tools.ietf.org/html/rfc3986#section-2.2>and “unreserved”
<http://tools.ietf.org/html/rfc3986#section-2.3>characters in RFC 3986
<http://tools.ietf.org/html/rfc3986>. The draft I am working on will say
that scope is a space separated set of elements, where the elements
consist of one or more characters from the union of the “reserved” and
“unreserved” sets.
...

If you do that, you'll need to be careful with the encoding in case you
stick with x-www-url-encoded (SP -> "+" etc).

Sorry, /me confused.

Looked again at <https://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-09#section-2.4>:

   scope           = "scope" "=" <"> scope-v *( SP scope-v ) <">
   scope-v         = 1*quoted-char

   quoted-char     = ALPHA / DIGIT /
                     "!" / "#" / "$" / "%" / "&" / "'" / "(" / ")" /
                     "*" / "+" / "-" / "." / "/" / ":" / "<" / "=" /
                     ">" / "?" / "@" / "[" / "]" / "^" / "_" / "`" /
                     "{" / "|" / "}" / "~" / "\" / "," / ";"

You can't do this, as it conflicts with the syntax for quoted-string.

So the right way to do this is to say:

  scope = "scope" *SP  "=" *SP ( token / quoted-string )

and then have prose constrain the value of the param after potentially unescaping the quoted-string.

Best regards, Julian





_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to