Re: [OAUTH-WG] Last Call: draft-ietf-oauth-v2-bearer-15.txt (The

2012-01-25 Thread Julian Reschke
On 2012-01-25 03:14, Bjoern Hoehrmann wrote: ... +1 ... If you want to keep the distinction, you should offer an argument why this is something individual schemes should regulate (since having the same rules for all schemes is much simpler). ... Exactly. I've been asking this many times,

Re: [OAUTH-WG] Last Call: draft-ietf-oauth-v2-bearer-15.txt (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

2012-01-25 Thread Mike Jones
Eran, do I then correctly understand that you've changed your mind on the position you took in http://www.ietf.org/mail-archive/web/oauth/current/msg07698.html, which was: All I agree with is to limit the scope character-set in the v2 spec to the subset of ASCII allowed in HTTP header

Re: [OAUTH-WG] Last Call: draft-ietf-oauth-v2-bearer-15.txt (The

2012-01-25 Thread Martin Rex
Mike Jones wrote: Per the discussion at http://www.ietf.org/mail-archive/web/oauth/current/msg08040.html, the working group's rationale for supporting quoted-string but not token syntax for these parameters, and for requiring that backslash ('\') quoting not be used when producing them

Re: [OAUTH-WG] Last Call: draft-ietf-oauth-v2-bearer-15.txt (The

2012-01-25 Thread Bjoern Hoehrmann
* Mike Jones wrote: Thanks for asking, Martin. That's effectively what the spec does already. It restricts the input values of these parameters to be quoted strings containing no backslashes. Most XML parsers do not tell you, and most XML generators do not allow you to control, the difference

Re: [OAUTH-WG] Last Call: draft-ietf-oauth-v2-bearer-15.txt (The

2012-01-25 Thread Martin Rex
Bjoern Hoehrmann wrote: * Mike Jones wrote: Thanks for asking, Martin. That's effectively what the spec does already. It restricts the input values of these parameters to be quoted the HTTP specification does not give you an interface that allows you to tell `x` and `x`

Re: [OAUTH-WG] Last Call: draft-ietf-oauth-v2-bearer-15.txt (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

2012-01-25 Thread Justin Richer
My agreement was, and is, to the *production* rules and not the *parsing* rules. So long as the former is a proper subset of the latter, everything is fine. What's happening here is that the spec is being read -- by experts -- as if it were superceding the latter, and that's not a good thing.

[OAUTH-WG] WWW-Authenticate Header (Bearer etc.)

2012-01-25 Thread Eran Hammer
People seems confused about the issue raised by Julian. It is pretty simple. The HTTP WWW-Authenticate header definition allows each header parameter to have a quoted string or token value. Token values are very restrictive and not suitable for scope (no spaces, etc.). Quoted strings allow a

Re: [OAUTH-WG] Last Call: draft-ietf-oauth-v2-bearer-15.txt (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

2012-01-25 Thread Peter Saint-Andre
hat type='TechAdvisor'/ (see http://tools.ietf.org/wg/oauth/charters ) On 1/25/12 1:37 AM, Mike Jones wrote: Eran, do I then correctly understand that you've changed your mind on the position you took in http://www.ietf.org/mail-archive/web/oauth/current/msg07698.html, which was: All I agree