+1 I would also prefer to not restrict scope values but provide clear encoding for places where transport is going to be an issue. This is what we do with tokens, which show up in the same places. Am I missing the reason we can't use the exact same rules (modulo the single space character) that apply to tokens?
-- Justin On Tue, 2011-10-04 at 19:52 -0400, Mark Lentczner wrote: > I think James has made the case that there is an issue clear. > > > As for what to pick, I favor not restricting scopes in the core spec, > and clearly specifying the way scopes will be presented in HTTP > headers in the bearer spec. > > > For the later, James supplies a nice list of the alternatives. > Personally, I think the URI-escaping is least likely to trip > developers up. One must be aware, though, that if there is only one > scope string to provide, and it meets the token production, then the > scope needn't be in quotes. > > > I believe RFC 5987 is vast over-kill in this case. We have no need to > enable multiple different encodings, nor multiple encodings with a > single header. Further, I wonder how widespread support for it is in > various HTTP frameworks. > > > - Mark > > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
