#5: Separate scheme names for bearer tokens, request signing, and delegation
---------------------------------+------------------------------------------
Reporter: ja...@… | Owner:
Type: defect | Status: new
Priority: major | Milestone:
Component: authentication | Version: 2.0
Severity: - | Keywords:
---------------------------------+------------------------------------------
The same HTTP authentication scheme name "Token" is overloaded with 3 (or
4) distinct roles. This hinders the use of auth schemes names by client
apps to choose how to authenticate to a server. It doesn't match existing
usage of auth scheme names.
A server should be able to indicate that a resource can be accessed:
1. When the request is signed (MACed) with a shared secret key;
2. When user consent has been obtained (at a given user-uri);
3. When a client credential has been swapped for a token (at a given
token-uri);
4. When the request is accompanied by an authorization token.
These indications should be independent.
Because "Token" is overloaded, a "WWW-Authenticate: Token ..." HTTP header
can only indicate all of these together.
Suggested solution: use at least 3 different names in the various places
"Token" is currently used -- perhaps "MAC", "Delegate" (or "OAuth"), and
"Token".
--
Ticket URL: <http://trac.tools.ietf.org/wg/oauth/trac/ticket/5>
oauth <http://tools.ietf.org/oauth/>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
