I'm waiting to see what Brian has in mind for signatures. If we keep the OAuth 1.0a signature flow, we will need to deal with string encoding of some sorts. The current limitation has signature in mind, not transmitting requests.
But either way, since assertions have unique structures, it is important to note how they should be encoded into the request. EHL On 4/2/10 12:48 PM, "Marius Scurtescu" <[email protected]> wrote: On Fri, Apr 2, 2010 at 12:00 PM, Eran Hammer-Lahav <[email protected]> wrote: > Because of how we send parameters. Most of the problems we had with > 1.0 involved encoding issues. We just need to find a good way of > explaining it. > > These are the characters allowed in Uris and form encoded bodies. Of course, but when you create the message you have to URL encode all the name/value pairs, a library would do that for you. But the value itself does not have to be restricted. Are we trying to allow for naive encodings where you just string together the names and values with some delimiters? I don't think that will help at all, you are just pushing the need to encode from the library out to the client code. And since the encoding now is not specified you have a real interop issue IMO. Marius > > EHL > > On Apr 2, 2010, at 12:35, "Marius Scurtescu" <[email protected]> > wrote: > >> On Thu, Apr 1, 2010 at 10:10 PM, Eran Hammer-Lahav <[email protected] >> > wrote: >>> The current draft allows the following characters: >>> >>> value-char = ALPHA / DIGIT / "-" / "." / "_" / "~" / "%" >>> >>> Which means a utf-8 string will need to be encoded somehow. Should >>> it be >>> percent-encoded? Something else? >> >> Why do we have this limitation (sorry if I missed a discussion >> around this)? >> >> Usernames and password, for example, are guaranteed to have problems. >> I think it is much better for the protocol/libraries to take care of >> encoding/decoding. >> >> Marius >> >>> >>> EHL >>> >>> >>> On 4/1/10 10:00 PM, "Marius Scurtescu" <[email protected]> wrote: >>> >>> On Thu, Apr 1, 2010 at 9:54 PM, Eran Hammer-Lahav <[email protected] >>> > >>> wrote: >>>> What is the assertion format? Binary? XML? Should the library >>>> encode it? >>>> Is >>>> the application using the library responsible for providing it >>>> with a >>>> URI-safe string? >>> >>> UTF-8 string I guess, the rest should not matter. >>> >>> Marius >>> >>> >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
