This is better.
<scope> is not quite correct as the right-hand side is not quite a subset of
<quoted-string> since <quoted-char> allows "\" as a character, instead of
treating it as an escape character.
Option 1: remove "\" from <quoted-char>
Option 2: define <scope> as <"scope" "=" quoted-string>, and in the following
paragraph say the "scope" attribute is a space-separated list of individual
scope values -- more precisely, individual scope values are separated by <RWS>
(and consequently cannot contain <RWS>).
I prefer option 2.
"WWW-Authenticate: OAuth2" is not strictly valid because it doesn't have a
space <RWS> after the scheme.
RFC2617 and draft-ietf-httpbis-p7-auth-12 actually uses <1*SP>, instead of
<RWS> in the generic definition of <challenge>.
Option 3: <challenge = "OAuth2" 1*SP 1#param>
Add realm to <param>; add back paragraph saying the mandatory "realm"
attribute allows protected resources on a server to be partitioned, as
specified in RFC2617. Don't bother with any extra explanation.
Option 4: <challenge = "OAuth2" [ 1*SP #param ]>
Add a paragraph explicitly saying this scheme does not quite obey the
generic rules for schemes defined in RFC2617 because it does not require a
"realm" parameter or, in fact, any parameters.
I prefer option 4, despite believing "realm" has some value. Most servers will
have a single protection space (=realm), plus NTLM and Negotiate schemes
already omit "realm", so I think disobeying RFC2617 here is ok (and fixing
draft-ietf-httpbis-p7-auth-12).
<URI-Reference> should be
<URI-reference>
--
James Manger
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
