Re: [OAUTH-WG] nits about definition of using form parameters

Mon, 18 Jun 2012 14:48:27 -0700 

Hi Julian,

Both the Core and Bearer specs already reference W3C.REC-html401-19991224 for 
the definition of application/x-www-form-urlencoded.

I'll leave it up to others to comment on whether the ;charset=UTF-8 parameter 
is correct or not.

                                -- Mike

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of 
Julian Reschke
Sent: Tuesday, June 12, 2012 2:13 AM
To: OAuth WG ([email protected])
Subject: [OAUTH-WG] nits about definition of using form parameters

Hi there,

re <http://tools.ietf.org/html/draft-ietf-oauth-v2-27#section-4.3.2>:

This needs a normative reference to a spec that defines the 
application/x-www-form-urlencoded media type (such as 
<http://www.w3.org/TR/html5/iana.html#application-x-www-form-urlencoded>).

Looking at the media type definition I don't see any mention of a charset 
parameter, so the example probably is wrong. See also
<http://www.w3.org/TR/html5/form-submission.html#url-encoded-form-data>:

"Note: Parameters on the application/x-www-form-urlencoded MIME type are 
ignored. In particular, this MIME type does not support the charset parameter."

I would also advise to change

    The client makes a request to the token endpoint by adding the
    following parameters using the "application/x-www-form-urlencoded"
    format in the HTTP request entity-body:

    grant_type
          REQUIRED.  Value MUST be set to "password".
    username
          REQUIRED.  The resource owner username, encoded as UTF-8.
    password
          REQUIRED.  The resource owner password, encoded as UTF-8.
    scope
          OPTIONAL.  The scope of the access request as described by
          Section 3.3.

to


    The client makes a request to the token endpoint by sending the
    following parameters using the "application/x-www-form-urlencoded"
    format (Section 4.10.22.5 of [WD-html5-20120329]) and a
    character encoding of "UTF-8" in the HTTP request entity-body:

    grant_type
          REQUIRED.  Value MUST be set to "password".
    username
          REQUIRED.  The resource owner username.
    password
          REQUIRED.  The resource owner password.
    scope
          OPTIONAL.  The scope of the access request as described by
          Section 3.3.

Finally, it would be good if the example used characters that require escaping 
in the body, such as "&", "%", or non-ASCII characters.

(similar nits apply to other sections using form encoding)

Best regards, Julian
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to