> what about an additional realm response value?
My original suggestion(http://www.ietf.org/mail-archive/web/oauth/current/msg01920.html) had a “realm” in addition to “sites”. I still think that should be present (though more to match the HTTP auth model (RFC2617) than an expectation that it will be used by most services). > If there is a binding between realm and token, the client can decide based on > the realm attribute discovered using a WWW-Authenticate response which token > to use. “realm” is not sufficient, however. A “realm” doesn’t stop you sending a token to a bad site. Even if an app makes and unauthenticated call first, there is nothing to stop the bad site responding with a WWW-Auth header with the right “realm” value so the client app will reveal the token. -- James Manger
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
