On 2011-10-20 10:05, Julian Reschke wrote:
On 2011-10-20 09:41, Mike Jones wrote:
Your proposed wording for 2.4 misses the point: \ MUST NOT occur at
all in the input string. No quoting may occur.
> ...
No, it doesn't miss the point.
You need to tell implementers whether they can use a quoted-string
processor. Those processors will accept all the values you want to
support, plus values that contain "\c" (representing "c"). Is this ok,
or are recipients supposed to reject these values?
Furthermore, it's not clear what recipients are supposed to do with
values that are not quoted, for instance for scope. The ABNF makes them
illegal, but I promise you that many recipients will accept them
nevertheless (unless you manage them to become draconian using a very
good test suite).
See <http://greenbytes.de/tech/tc/httpauth/#simplebasictok> for a test
case checking this for the realm parameter. It's already bad for many
existing headers, please let's do things right with new ones.
Best regards, Julian
...finally, the syntax for the WWW-Authenticate header field is defined
by HTTPbis, not the OAuth spec. Recipients need to process the header
field using a generic parser, and only after doing so can delegate to an
OAuth-specific component for interpretation of the OAuth-specific
semantics. Translation: a recipient that supports multiple
authentication schemes is unlikely to implement an OAuth-specific
*parser* for the header field.
Best regards, Julian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
