As Eran wrote on 9/30, "The fact that the v2 spec allows a wide range of
characters in scope was unintentional. The design was limited to allow simple
ASCII strings and URIs."
-- Mike
-----Original Message-----
From: Julian Reschke [mailto:[email protected]]
Sent: Sunday, October 16, 2011 3:44 AM
To: Mike Jones
Cc: Tschofenig, Hannes (NSN - FI/Espoo); Hannes Tschofenig; OAuth WG
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-09: Open Issues & Proposed
Resolutions
On 2011-10-16 07:12, Mike Jones wrote:
> In your note yesterday summarizing our proposed issue resolutions, you wrote
> "The scope field is yet another item that will not be shown to the user and
> it serves the purpose of an identifier for authorization comparison. So, we
> don't need to have any internationalization support here either."
>
> I'm therefore confused by your note below, Hannes, as it seems to me
> to contradict both your statement above. In particular, there's no
> need for Unicode encodings when internationalization isn't required.
> ASCII characters are fine for representing machine-readable scope
> elements that will never be displayed to users. That's the approach
> I'm taking in draft 10. (And indeed, EVERY draft of the bearer token
> spec has specified only ASCII characters, so this is nothing new...)
Confused we are :-)
The core spec doesn't restrict what can be in a scope (looking at
<https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3>).
Also, you wrote earlier on:
> Any strings that the Authorization Server chooses to define meanings for
Best regards, Julian
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
