Re: [OAUTH-WG] [Gen-art] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-22.txt

Tue, 17 Jul 2012 10:58:01 -0700 

On 17/07/2012 18:15, Mike Jones wrote:

For clarity of discussion, the definition in question is:
      b64token    = 1*( ALPHA / DIGIT /
                        "-" / "." / "_" / "~" / "+" / "/" ) *"="

Note that b64token is a liberal syntax intended to permit base64 encoded content (hence the inclusion of the "+" and "/" 
characters and the optional trailing "=" characters), base64url encoded content (hence the inclusion of the "-" and "_" 
characters) and other URL-safe productions (hence the inclusion of the "." and "~" characters).

Its use is definitely not intended to be restricted to base64 encoded content, per RFC 
4648. If it were so restricted (by not allowing ".", for instance), this would 
exclude the use of JWTs as bearer tokens, for instance, which is something we 
*definitely* want to allow.

As a result, I don't think adding a reference to RFC 4648 is either necessary 
or appropriate.
In this case, can you please rename the production to something which is clearly not a base64 string. 


Julian may be able to provide more background.

                                Best wishes,
                                -- Mike

-----Original Message-----
From: Alexey Melnikov [mailto:[email protected]]
Sent: Tuesday, July 17, 2012 10:02 AM
To: Julian Reschke; Mike Jones
Cc: The IESG; General Area Review Team; [email protected]; 
[email protected]; Stephen Farrell
Subject: Re: [Gen-art] [OAUTH-WG] Gen-ART Telechat review of 
draft-ietf-oauth-v2-bearer-22.txt

On 17/07/2012 17:40, Julian Reschke wrote:

On 2012-07-17 18:10, Mike Jones wrote:

FYI, the b64 token definition is identical to the one in
draft-ietf-httpbis-p7-auth-20.  If it works there, it should work for
OAuth Bearer.
...

+1; not every constraint needs to be expressed in the ABNF. "b64token"
is here so recipients can parse the header field; it's up to the auth
scheme to state what the addition constraints are; and that can happen
in prose.

I didn't say that it has to be expressed in ABNF (although I obviously wouldn't 
mind). I would like an ABNF comment pointing to the document which defines 
base64.






_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to