Re: [OAUTH-WG] Preliminary OAuth Core draft -29

Mon, 09 Jul 2012 06:55:31 -0700 

On 2012-07-09 09:08, Mike Jones wrote:

A preliminary version of OAuth core draft -29 is attached for the
working group’s consideration and discussion on today’s call.  I believe
that this addresses all issues that have been raised, including Julian’s
issues about the ABNF, character sets, and form encoding.  Changes are:

  * Added "MUST" to "A public client that was not issued a client
    password MUST use the client_idrequest parameter to identify itself
    when sending requests to the token endpoint" and added text
    explaining why this must be so.
  * Added that the authorization server MUST "ensure the authorization
    code was issued to the authenticated confidential client or to the
    public client identified by the client_idin the request".
  * Added Security Considerations section "Misuse of Access Token to
    Impersonate Resource Owner at Public Client".
  * Deleted ";charset=UTF-8" from examples formerly using "Content-Type:
    application/x-www-form-urlencoded;charset=UTF-8".
  * Added the phrase "and a character encoding of UTF-8" when describing
    how to send requests using the HTTP request entity-body, per Julian
    Reschke's suggestion.
I still think that citing HTML4 here doesn't work; the definition of the media type in HTML4 is known to be insufficient. What's the reason for not citing the HTML4 working draft here? 


  * Added "The ABNF below is defined in terms of Unicode code points
    [UNICODE5]; these characters are typically encoded in UTF-8".
  * For symmetry when using HTTP Basic authentication, also apply the
    application/x-www-form-urlencodedencoding to the client password,
    just as was already done for the client identifier.


That's kind of surprising; what's the rational for this?
Also, given the complexity of x-www-form-urlencoded, I really really believe there should be examples of using it with non-ASCII characters.
Finally, the ABNF still fails to address my concerns from a few weeks ago: <https://www.ietf.org/mail-archive/web/oauth/current/msg09219.html> 

Best regards, Julian
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to