Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10
Julian Reschke <julian.reschke@gmx.de> Thu, 20 October 2011 15:46 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8070121F8C59 for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 08:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.062
X-Spam-Level:
X-Spam-Status: No, score=-103.062 tagged_above=-999 required=5 tests=[AWL=-0.462, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gYJDD5qp-3oI for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 08:46:34 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 915BE21F8B86 for <oauth@ietf.org>; Thu, 20 Oct 2011 08:46:27 -0700 (PDT)
Received: (qmail invoked by alias); 20 Oct 2011 15:46:26 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.140]) [217.91.35.233] by mail.gmx.net (mp002) with SMTP; 20 Oct 2011 17:46:26 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18Rgd092UMRUbMBebmIv/Edt9U4vSvpIcLFNWw51G y6u3ewYp1GkWw0
Message-ID: <4EA0424E.8000604@gmx.de>
Date: Thu, 20 Oct 2011 17:46:22 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435C24B1CA@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E9FC9FA.8030001@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C24CAE6@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E9FCFA4.7050706@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C24CBB6@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E9FD642.9070100@gmx.de> <4E1F6AAD24975D4BA5B16804296739435C24D2C4@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435C24D2C4@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2011 15:46:35 -0000
On 2011-10-20 17:33, Mike Jones wrote: > By design, implementations can use existing quoted-string parsers, as these accept and correctly process all legal scope values. > > The spec is silent on what to do with illegal values, such as those containing \ or those not surrounded by ". Conforming implementations will not produce such values, and so there's no actual problem in practice, whether you use an off-the-shelf parameter parser or one specific to the Bearer scheme. > ... Conforming implementations can produce WWW-Authenticate header fields containing quoted-strings containing escapes. This is under the jurisdiction of the HTTP spec, not the OAuth spec. OAuth can profile the legal values *just* for the OAuth scheme, but consumers will still need to be able to process a header field that contains multiple challenges from schemes != OAuth, and to do so, they *have* to use a proper parser. Consider the following challenge: WWW-Authenticate: foo realm="x", title="my \"test\" site", oauth realm="y" A component that handles WWW-Authenticate absolutely has to rely on predictable syntax for quoted strings. It doesn't make any sense to special-case OAuth params just because escaping isn't needed. This makes things harder and more likely to fail, not simpler. Best regards, Julian
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Julian Reschke
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Julian Reschke
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Julian Reschke
- [OAUTH-WG] choice of credentials syntax, was: OAu… Julian Reschke
- [OAUTH-WG] OAuth 2.0 Bearer Token Specification D… Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Julian Reschke
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… William Mills
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Julian Reschke
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Mike Jones