Hi,

I have question about access_token generation.
Would it be possible to use access_token that generated as UUID?
It seems reasonable so UUID is regarded as safe ID generation
algorithm. And in fact such OAuth 2.0 implementations exists.
But there is a discrepancy between OAuth 2.0 spec and UUID spec around
letter case.

RFC 6749 says:
> Unless otherwise noted, all the protocol parameter names and values
> are case sensitive.

> access_token
> REQUIRED.  The access token issued by the authorization server.

RFC 4122 says:
> The hexadecimal values "a" through "f" are output as lower case
> characters and are case insensitive on input.

I mean, access_token should be treated as case sensitive but UUID
should be treated as case insensitive.
What are your thoughts on that?

Thank you.

-- 
Open Source Solution Technology Corporation
HAMANO Tsukasa <ham...@osstech.co.jp>
fingerprint = 2285 2111 6D34 3816 3C2E  A5B9 16BE D101 6069 BE55

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to