Marius, >> For instance, why not define a SAML HTTP authentication mechanism: >> >> Authorization: SAML a=<base64url-encoded SAML assertion>
> This came up in another thread, but SAML assertions could be too large > to be passed through an HTTP header. Other than that, your suggestion > really simplifies things. What are the limits on HTTP headers? I don't think there are any in the HTTP spec. <http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-09#section-3.2> A comment in the other thread said SPNEGO headers can be up to 12392 bytes and do not seem to be a problem. <http://www.ietf.org/mail-archive/web/oauth/current/msg03359.html> I is hard to support a POST-and-form-only method when there is an alternative that "really simplifies things" without more concrete information on what the actual HTTP limits are (& how hard it is to increase them), and what practical assertion sizes are. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
