Apart from the first mention that IndieAuth is build on top of OAuth there is little reference to other limitations set out by OAuth. I still think IndieAuth should follow any such limitations and it would be worth calling them out.
Appendix A of OAuth 2.0 contains the ABNF syntax for the pieces the rest of the spec relies upon. The following would be important for IndieAuth specifically (in order of occurrence in the IndieAuth spec):
All other IndieAuth parameters are URLs and should follow the URL spec for validity.
The important one of note is scope, as its scope-tokens are limited to a specific character range. state and code are simply limited to the visible ASCII range, though even that might warrant being specified by IndieAuth.
At least one current implementation of an authorization endpoint follows the limitations as set by OAuth. See selfauth’s scope validation.
Apart from the first mention that IndieAuth is build on top of OAuth there is little reference to other limitations set out by OAuth. I still think IndieAuth should follow any such limitations and it would be worth calling them out.
Appendix A of OAuth 2.0 contains the ABNF syntax for the pieces the rest of the spec relies upon. The following would be important for IndieAuth specifically (in order of occurrence in the IndieAuth spec):
All other IndieAuth parameters are URLs and should follow the URL spec for validity.
The important one of note is
scope, as itsscope-tokens are limited to a specific character range.stateandcodeare simply limited to the visible ASCII range, though even that might warrant being specified by IndieAuth.At least one current implementation of an authorization endpoint follows the limitations as set by OAuth. See selfauth’s scope validation.