You mean the syntax used by most HTTP headers? There is clearly a need for adding extensions.
EHL On Jul 11, 2010, at 2:55, Brian Eaton <bea...@google.com> wrote: > On Sun, Jun 27, 2010 at 6:51 PM, Eran Hammer-Lahav <e...@hueniverse.com> > wrote: >> 1. Leave it as required under the definition of RFC 2617 (i.e. provide no >> help, developers will need to ready 2617 and figure out what to do with it). >> >> 2. Update 2617 to remove the requirement – this is not going to be easy or >> possible to predict success. >> >> 3. Provide specific guidance as to what to do with the realm parameter. >> >> 4. Something else. > > Let's do something else. > > We've made great progress on simplifying the spec and unifying the > different formats to minimize the number of parsers and serializers > that are needed. The www-authenticate header is one of the bits of > nastiness left. > > Let's use a format like this: > > WWW-Authenticate: OAuth2 base64(<json>) > > Or even just: > > WWW-Authenticate: OAuth2 > > Seriously. > > There is some precedent for this. The Negotiate and NTLM schemes > ditched the name="value" syntax, and they are widely implemented. > This demonstrates two things: > 1) dropping the name="value" syntax won't break the internet, because > widely deployed schemes have already done it. > 2) "realm" is not necessary in order to have a successful > authentication protocol. > > As far as I can tell, there is no good reason for RFC 2617 to specify > the syntax it does. It's convenient for digest auth, and kind of a > pain everywhere else. > > So let's just drop it. > > Cheers, > Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
