Hi there,
the new draft has changed the ABNF for the challenge
(<https://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-13#section-3>),
but I still believe this change is not sufficient (see for instance [1]).
The base problem here is that the spec tries to define an ABNF for a
header field it doesn't define. This doesn't work. The syntax of
WWW-Authenticate is defined by HTTP; all a new authentication scheme
should do is to document the parameters it uses.
The current spec now defines all parameters to use quoted-strings, and
allows recipients to run a standard parser on these. This is a step into
the right direction.
However, it doesn't address the problem that recipients using a generic
parser are likely to also accept the token syntax. We have evidence that
this has happened before for "realm" [2], so, for a new scheme, it would
be good to avoid it upfront.
The simplest possible way to do so is to allow both token and
quoted-string, and this is indeed what HTTPbis P7 now recommends ([3];
disclaimer: I'm one of the editors of that spec, and the text was put in
*because* of this open oauth issue).
Best regards, Julian
[1] <https://www.ietf.org/mail-archive/web/oauth/current/msg07733.html>
[2] <http://greenbytes.de/tech/tc/httpauth/#simplebasictok> and
<http://trac.tools.ietf.org/wg/httpbis/trac/ticket/314>
[3]
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-17.html#rfc.section.2.3.1>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
