Eran, > How would you suggest we define a general purpose www-authenticate > header that does not have a matching request header?
Why would that be a problem? We define what a "WWW-Authenticate: OAuth2 ..." response header means, but don't define any meaning for a "Authorization: OAuth2 ..." request header. No other scheme should define a meaning for "Authorization: OAuth2 ...". Consequently, the bearer token spec need to choose a different scheme name (eg "BEARER" or "TOKEN" or "EXTERNAL") so it can define request & response headers. There is even some precedent for this. draft-broyer-http-cookie-auth defines "WWW-Authenticate: COOKIE ...", without any matching request header. I think there have also been ideas to define something like "WWW-Authenticate: TLS ..." to indicate when authentication at a lower layer (TLS, IPsec) is required. Again there was no matching "Authorization: TLS ..." header. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
