On Sun, Jun 27, 2010 at 6:51 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > 1. Leave it as required under the definition of RFC 2617 (i.e. provide no > help, developers will need to ready 2617 and figure out what to do with it). > > 2. Update 2617 to remove the requirement – this is not going to be easy or > possible to predict success. > > 3. Provide specific guidance as to what to do with the realm parameter. > > 4. Something else.
Let's do something else. We've made great progress on simplifying the spec and unifying the different formats to minimize the number of parsers and serializers that are needed. The www-authenticate header is one of the bits of nastiness left. Let's use a format like this: WWW-Authenticate: OAuth2 base64(<json>) Or even just: WWW-Authenticate: OAuth2 Seriously. There is some precedent for this. The Negotiate and NTLM schemes ditched the name="value" syntax, and they are widely implemented. This demonstrates two things: 1) dropping the name="value" syntax won't break the internet, because widely deployed schemes have already done it. 2) "realm" is not necessary in order to have a successful authentication protocol. As far as I can tell, there is no good reason for RFC 2617 to specify the syntax it does. It's convenient for digest auth, and kind of a pain everywhere else. So let's just drop it. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
