Luke said: > I think the difference between your cookie example and OAuth token is that > cookies are automatically sent on every request, so there have to be rules > about when they are automatically appended. OAuth access tokens aren't the > same thing - they are explicitly added by developers on each request, so we > don't need to overspecify rules in the protocol that should be handled by > developers.
It is not just cookies, but HTTP Basic, HTTP Digest, NTLM etc are automatically sent on every request. In fact, I suspect most auth schemes are automatically applied. OAuth should not be any different. I hope decent libraries allow an OAuth token to be configured orthogonally to the code that actually makes the API requests. Even if tokens are “explicitly added by developers on each requests”, the developers need to know which requests this applies to. A cornerstone of hypertext is making request based on links in responses. How does an app know if a link it finds in a response is part of the same API (so the token should be added) or an “external” link? -- James Manger
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
