By design, implementations can use existing quoted-string parsers, as these
accept and correctly process all legal scope values.
The spec is silent on what to do with illegal values, such as those containing
\ or those not surrounded by ". Conforming implementations will not produce
such values, and so there's no actual problem in practice, whether you use an
off-the-shelf parameter parser or one specific to the Bearer scheme.
Thanks for sweating the details, by the way. The spec is better for it.
Best wishes,
-- Mike
-----Original Message-----
From: Julian Reschke [mailto:[email protected]]
Sent: Thursday, October 20, 2011 1:05 AM
To: Mike Jones
Cc: [email protected]
Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -10
On 2011-10-20 09:41, Mike Jones wrote:
> Your proposed wording for 2.4 misses the point: \ MUST NOT occur at all in
> the input string. No quoting may occur.
> ...
No, it doesn't miss the point.
You need to tell implementers whether they can use a quoted-string processor.
Those processors will accept all the values you want to support, plus values
that contain "\c" (representing "c"). Is this ok, or are recipients supposed to
reject these values?
Furthermore, it's not clear what recipients are supposed to do with values that
are not quoted, for instance for scope. The ABNF makes them illegal, but I
promise you that many recipients will accept them nevertheless (unless you
manage them to become draconian using a very good test suite).
See <http://greenbytes.de/tech/tc/httpauth/#simplebasictok> for a test case
checking this for the realm parameter. It's already bad for many existing
headers, please let's do things right with new ones.
Best regards, Julian
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
