Messages - Clearer statement about string comparison rules needed
Issue #330
resolved
The spec currently defines "response_type" as "A space delimited, case sensitive list of string values".
Unfortunately saying case sensitive is not enough since this still leaves a bunch of legal Unicode transactions available that can cause security holes. We need to write in one place somewhere in this spec something that says “String whose only legal operation is a code point for code point comparison” and then define all the strings in the spec as of that type.
This statement could be copied from the JWT spec, where it already exists.
Also, in this case, we might want to say that the response_type consists of only ASCII characters.
Comments (4)
-
-
From today's OAuth working group consensus, it should all be ASCII, and should be octet to octet comparison.
Saying space delimited is not good enough either, because there are multiple space chars. We need to explicitly state that it is %20.
-
-
assigned issue to
Michael Jones
- changed status to open
-
assigned issue to
-
reporter
- changed status to resolved
Fix
#330Messages - Clearer statement about string comparison rules needed - Log in to comment
The ABNF for response type is in Sec 8.4 of OAuth.
It is not clear from OAuth that the strings are case sensitive, though anything else is probably madness.
We should probably have a reference