> While you take the viewpoint that the bearer spec is restricting scope > values, in fact, > the spec intentionally allows all characters that can be safely communicated > in an HTTP > response header parameter to be used.
But "all characters that can be safely communicated in an HTTP response header parameter" is only a subset of the characters that OAuth Core allows in a scope value (any Unicode string excluding space). I don't understand how this isn't the Bearer spec restricting scope values. P.S. You recognize here that non-ASCII chars cannot be safely communicated in an HTTP response header parameter. This is why Julian was concerned about the spec saying the error_description holds raw UTF-8. [Actually the ABNF for error_description restricts it to 93 ASCII chars so when the text says it is UTF-8 encoded it is raising the potential problem of arbitrary UTF-8 in HTTP headers unnecessarily.] -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
