Over the past year we had consensus that the WWW-Authenticate header field 'realm' parameter is both poorly defined and useless in OAuth. Realm does not provide a useful mechanism for the complexity of OAuth tokens and the relationship between the protected resource and authorization server.
RFC 2617 language is cryptic at best with regard to when 'realm' is required. HTTPbis has an open issue (#177 [1]) for deciding what to do with 'realm'. Since 'realm' does not provide value for OAuth, and is only adding noise and confusion, I am removing it from -11. I'm passing the ball to the HTTPbis WG to figure out how to deal with it. My schedule has been very busy over the past few months and I was unable to complete -11 as planned. I will be publishing -11 this week no matter what shape the draft is in as it now includes many normative changes collected over the past few months. EHL [1] http://trac.tools.ietf.org/wg/httpbis/trac/ticket/177 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
