Eran said:
> Why is a version better than a new scheme name?
YAY!
Using a new scheme name if/when we aren't using a bearer token is a great idea.
Today OAuth2 only defines how to access a protected resource with a bearer
token [the "Token" scheme in section 5]. Assume this is standardized soon, then
in 3 years time a MAC-based mechanism is defined. There is no way it would
reuse the existing "Token" scheme by giving it totally different semantics --
in much the same way no one considered reusing the "BASIC" scheme to hold a
nonce/timestamp/alg/signature. A new mechanism would simply pick its own scheme
name, eg "MAC".
OAuth2 can easily prepare for this today by explicitly indicating which scheme
a token is designed to be used with when it is issued. That is, include a
"scheme" parameter in an access token response.
{
"access_token":"SlAV32hkKG",
"scheme":"Token",
"expires_in":3600,
"refresh_token":"8xLOxBtZp8"
}
The spec would say: "A client app MUST support the "Token" scheme"; "A client
app MUST NOT use a token response if it does not support the listed scheme".
[We could make "scheme":"Token" the default if absent, but I think it is better
to be explicit.]
Changing the scheme name from "Token" to, say, "Bearer" would help.
I also support changing the query parameter name from "oauth_token". How about
"_authz"?
We want authentication/authorization to be orthogonal to the rest of the API.
When we can't use the separate "Authorization" header for this purpose we need
a parameter name that is somehow "orthogonal" to any params that are part of
the API being protected. Starting the param name with "_" is a decent way to
suggest this orthogonality to other "normal" API params. Suggestions: "_authz"
or "_authz_bearer" (or "_authz_token" if the "Token" scheme is not renamed).
Eran argued that the "Token" scheme name deliberately does not include the
"OAuth" label to be generic: it can hold a token obtained in any way, not
necessarily using an OAuth flow. With this logic, the URI query parameter name
holding a bearer token should also avoid the "OAuth" label. It is simply a
URI-query variant of the HTTP "Token" scheme.
--
James Manger
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
