> -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] > On Behalf Of Brian Eaton > Sent: Saturday, July 10, 2010 11:56 PM > To: Eran Hammer-Lahav > Cc: OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] What to do about 'realm' > > On Sun, Jun 27, 2010 at 6:51 PM, Eran Hammer-Lahav > <e...@hueniverse.com> wrote: > > 1. Leave it as required under the definition of RFC 2617 > (i.e. provide > > no help, developers will need to ready 2617 and figure out > what to do with it). > > > > 2. Update 2617 to remove the requirement - this is not going to be > > easy or possible to predict success. > > > > 3. Provide specific guidance as to what to do with the > realm parameter. > > > > 4. Something else. > > Let's do something else. > > We've made great progress on simplifying the spec and > unifying the different formats to minimize the number of > parsers and serializers that are needed. The > www-authenticate header is one of the bits of nastiness left. > > Let's use a format like this: > > WWW-Authenticate: OAuth2 base64(<json>)
This will work for me in the SASL stuff for discovery information. JSON as a name/value construct works as well as anythign else. > > Or even just: > > WWW-Authenticate: OAuth2 This won't really, and I'll have to stuff the discovery information somwehre else. I don't care what the real specifics of this are as long asn it's extensible. > > Seriously. > > There is some precedent for this. The Negotiate and NTLM > schemes ditched the name="value" syntax, and they are widely > implemented. > This demonstrates two things: > 1) dropping the name="value" syntax won't break the internet, > because widely deployed schemes have already done it. > 2) "realm" is not necessary in order to have a successful > authentication protocol. > > As far as I can tell, there is no good reason for RFC 2617 to > specify the syntax it does. It's convenient for digest auth, > and kind of a pain everywhere else. > > So let's just drop it. > > Cheers, > Brian > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
