Hi Nat, Hi John, Hi Naveen, Hi all, in the appendix you include C# code. I was wondering where the code came from? Did you write the code or did you copy it from somewhere else? This question is relevant from a copyright point of view.
RFC 5226 is mentioned in the document but missing in the informative reference section. A minor wording suggestion for the following paragraph: " All the OAuth security analysis presented in [RFC6819] applies so readers SHOULD carefully follow it. " I think the RFC 2119 language use of the word 'SHOULD' isn't appropriate here. I think it would be better to just say the following: " The OAuth security analysis presented in [RFC6819] applies to this document. Implementers are strongly encouraged to follow the recommended security practice. " (I guess it is not possible to highlight a few aspects since the entire document, i.e., RFC 6819, may be relevant depending on the chosen OAuth features.) I noticed a funny thing about the ABNF. When I used this ABNF code " ALPHA = %x41-5A / %x61-7A DIGIT = %x30-39 code_verifier = 42*128unreserved unreserved = ALPHA / DIGIT / "-" / "_" " I get an error from 'Bill's ABNF Parser'. The tool complains about the use of the "_" in the code_verifier label. It turns out that this is not an allowed token in ABNF as defined in RFC 5234 (at least that's my current understanding). Of course that is a bit inconvenient since we have been using "_" already in many OAuth parameters before, as the IANA OAuth parameter registry shows: http://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml So, I hope that my understanding of ABNF is incorrect since otherwise we have messed things up a bit (at least when it comes to compliance with the ABNF syntax). This does, of course, not have any impact on implementations. Feedback appreciated. Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
