I believe the UTF-8 piece came from Brian Eaton a while back because of some security issue identified at Google.
EH > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Mike Jones > Sent: Monday, June 18, 2012 2:48 PM > To: Julian Reschke; OAuth WG ([email protected]) > Subject: Re: [OAUTH-WG] nits about definition of using form parameters > > Hi Julian, > > Both the Core and Bearer specs already reference W3C.REC-html401- > 19991224 for the definition of application/x-www-form-urlencoded. > > I'll leave it up to others to comment on whether the ;charset=UTF-8 > parameter is correct or not. > > -- Mike > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Julian Reschke > Sent: Tuesday, June 12, 2012 2:13 AM > To: OAuth WG ([email protected]) > Subject: [OAUTH-WG] nits about definition of using form parameters > > Hi there, > > re <http://tools.ietf.org/html/draft-ietf-oauth-v2-27#section-4.3.2>: > > This needs a normative reference to a spec that defines the application/x- > www-form-urlencoded media type (such as > <http://www.w3.org/TR/html5/iana.html#application-x-www-form- > urlencoded>). > > Looking at the media type definition I don't see any mention of a charset > parameter, so the example probably is wrong. See also > <http://www.w3.org/TR/html5/form-submission.html#url-encoded-form- > data>: > > "Note: Parameters on the application/x-www-form-urlencoded MIME type > are ignored. In particular, this MIME type does not support the charset > parameter." > > I would also advise to change > > The client makes a request to the token endpoint by adding the > following parameters using the "application/x-www-form-urlencoded" > format in the HTTP request entity-body: > > grant_type > REQUIRED. Value MUST be set to "password". > username > REQUIRED. The resource owner username, encoded as UTF-8. > password > REQUIRED. The resource owner password, encoded as UTF-8. > scope > OPTIONAL. The scope of the access request as described by > Section 3.3. > > to > > > The client makes a request to the token endpoint by sending the > following parameters using the "application/x-www-form-urlencoded" > format (Section 4.10.22.5 of [WD-html5-20120329]) and a > character encoding of "UTF-8" in the HTTP request entity-body: > > grant_type > REQUIRED. Value MUST be set to "password". > username > REQUIRED. The resource owner username. > password > REQUIRED. The resource owner password. > scope > OPTIONAL. The scope of the access request as described by > Section 3.3. > > Finally, it would be good if the example used characters that require escaping > in the body, such as "&", "%", or non-ASCII characters. > > (similar nits apply to other sections using form encoding) > > Best regards, Julian > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
