What makes this so much different from Basic? Instead of using a flow the browser simply asks the user for a set of credentials. Once it has a set, it reuses it based on realm.
EHL > -----Original Message----- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Thursday, April 22, 2010 11:22 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] 'Scope' parameter proposal > > On Thu, Apr 22, 2010 at 11:01 AM, Eran Hammer-Lahav > <e...@hueniverse.com> wrote: > > Rules around realms show this is very tricky but unless we update 2617 > > (which we are not chartered to do) we are still stuck with realm as a > required parameter. > > One way to avoid this debate is to simply say that clients should use > > realms to decide when to reuse tokens. It doesn't solve the problem, > > but it doesn't create a new one either. > > The existing rules for realm are basically same-origin policy. That doesn't > actually work for any of the delegated auth solutions that > OAuth2 is based on, and is meant to replace. Telling people to use realm is > terrible, no-good, very-bad advice. > > As far as I can tell, the only practical guidance we can give developers is > "follow the service provider documentation." > > Cheers, > Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
