Hello everybody, Since this is my first post on this list, I’ll say few words about whoami: My name is Alexey Skolyarov, I work in Saint-Petersburg, Russia. I’m interested in OAuth2 because I found no v2 providers for Jersey<http://jersey.java.net/> except Spring Security which is much more complex than 1.0a implementation in Jersey-contrib. Currently I’m under NDA, so I can’t say more ☹
Nevertheless we’ve done specification study and found a conflict – in last paragraph of section 3.1. "Authorization Endpoint"<http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.1> it is mentioned that “Request and response parameters MUST NOT be included more than once”. This statement conflicts with state parameter definition in section 4.1.2.1 "Error response"<http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1.2.1>, where it’s said that state is “REQUIRED if a valid "state" parameter was present in the client authorization request. The exact value received from the client”. How passing state=QWE&state=ASD inside same request should be handled then? From one hand it is forbidden to process requests with multiple parameter occurrences. But from another hand Specification requires to pass the state if it was found in a request. Violation of any of these statements can be treated as “partial compliance” to draft-22, so I’m in doubt what way is preferred there. What do you guys think? Thanks in advance. -- Best regards, Alexey Skolyarov
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
