I have no objection to this if it passes the smell test by some HTTP experts. I'll ask.
EHL > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Manger, James H > Sent: Thursday, October 14, 2010 10:10 PM > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] Call for Consensus on Document Split > > Eran, > > > How would you suggest we define a general purpose www-authenticate > > header that does not have a matching request header? > > Why would that be a problem? > We define what a "WWW-Authenticate: OAuth2 ..." response header > means, but don't define any meaning for a "Authorization: OAuth2 ..." > request header. > No other scheme should define a meaning for "Authorization: OAuth2 ...". > Consequently, the bearer token spec need to choose a different scheme > name (eg "BEARER" or "TOKEN" or "EXTERNAL") so it can define request & > response headers. > > There is even some precedent for this. draft-broyer-http-cookie-auth > defines "WWW-Authenticate: COOKIE ...", without any matching request > header. > I think there have also been ideas to define something like "WWW- > Authenticate: TLS ..." to indicate when authentication at a lower layer (TLS, > IPsec) is required. Again there was no matching "Authorization: TLS ..." > header. > > -- > James Manger > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
