On Thu, Apr 22, 2010 at 11:01 AM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > Rules around realms show this is very tricky but unless we update 2617 (which > we > are not chartered to do) we are still stuck with realm as a required > parameter. > One way to avoid this debate is to simply say that clients should use realms > to > decide when to reuse tokens. It doesn't solve the problem, but it doesn't > create a > new one either.
The existing rules for realm are basically same-origin policy. That doesn't actually work for any of the delegated auth solutions that OAuth2 is based on, and is meant to replace. Telling people to use realm is terrible, no-good, very-bad advice. As far as I can tell, the only practical guidance we can give developers is "follow the service provider documentation." Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
