Hi Benjamin,
in my opinion, your proposal sound reasonable from a protocol perspective.
kind regards,
Torsten.
Am 23. März 2015 06:26:20 MEZ, schrieb Benjamin Kaduk <ka...@mit.edu>:
>Hi all,
>
>During the shepherd review for draft-ietf-kitten-sasl-oauth-19, I
>noticed
>an old comment from Matt back in December 2013, in
>http://www.ietf.org/mail-archive/web/kitten/current/msg04488.html .
>
>The relevant point here is that sending a scope of "" (the empty
>string)
>during the authorization request violates the ABNF in RFC 6749. (The
>other concerns seem to have been addressed by suggesting that a single
>scope be used, when recommending against a space-separated list.)
>
>In the current draft-ietf-kitten-sasl-oauth-19, in section 3.2.2
>("Server
>Response to Failed Authentication"), we provide a way for the server to
>tell the client what scope to use, in a custom JSON message defined in
>the
>sasl-oauth document. This error response has no obligation to comply
>to
>the ABNF of RFC 6749, so saying both that the scope field is optional
>and
>that it "may be empty which implies that unscoped tokens are required,
>or
>a scope value" does not cause any compliance issues. However, a few
>paragraphs down, we furthermore say that "[i]f the resource server
>provides no scope to the client then the client SHOULD presume an empty
>scope (unscoped token) is required to access the resource." The phrase
>"empty scope" here is concerning, and seems to suggest sending
>scope="",
>which is disallowed by RFC 6749.
>
>The simple fix would be to just replace "empty scope (unscoped token)"
>with "unscoped token".
>
>However, it is a bit aesthetically unpleasing to have our new JSON
>structure diverge from the existing ABNF guidelines; we may wish to
>just
>utilize the optionality of the scope field in the server's response to
>failed authentication, and remove the mention of an empty value for
>that
>field. This proposal is a change to the wire protocol, and so we would
>need consensus from the working group to move forward with it -- in
>particular, we would like to know if there are existing implementations
>which would be affected by this change.
>
>Please comment about the proposal to remove the option of an empty
>scope
>in the server's response to failed authentication, both from the
>protocol
>change standpoint and from its effects on existing implementations.
>
>Thank you,
>
>Ben
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet._______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
