> -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Manger, James H > Sent: Thursday, December 02, 2010 7:59 PM
> > What does scheme=basic mean [in a token response]? > > It means this token response contains credentials that can be used with the > HTTP BASIC authentication scheme. Don't try to use the credentials with any > other scheme. The access_token value would be used as the user-id, and the > token_secret value as the password. But that has the same security properties as bearer. > > I think tying type and scheme together is less intuitive then letting > > the type definition provide the right scheme(s). > > Keeping them separate offers an additional degree of indirection. > Indirection is sometimes useful, but I don't think it adds any value here. > It just means we need another registry (of token_types, with associated > procedures); and we need an extra spec for each authentication mechanism > to define the linkage to OAuth2. Yeah. But I'm not expecting a flood. We'll have a handful and probably 2 will survive the deployment test. OAuth 1.0a had three signature methods and only one really got any significant traction. > A lot of authentication mechanisms take similar inputs (an id and a secret) so > they shouldn't each need a separate spec to define their binding to OAuth2. I don't see a way around it. OAuth returns tokens using form-encoded URI and JSON body replies. If your token is not self describing, you need extra parameters so binding is required anyway. > > I am using 'MAC' for my draft. > > As the token_type? As the HTTP authentication scheme? I hope both. In my case both, but I don't care about it as a generic HTTP authentication scheme. It can be used that way but it is defined in clear OAuth context. > > But its still an OAuth2 extension, not a completely generic HTTP scheme. > > I guess it is an OAuth2 extension in as much as it defines how to get MAC > credentials from an OAuth2 token response: check token_type=MAC; > access_token is the id; token_secret is the MAC key; mac_algorithm is the > MAC algorithm. > > > It can be used independent of OAuth2 if you somehow got a token, > > secret, and mac algorithm name. > > Hopefully you define a "WWW-Authenticate: MAC ..." response header that > can list acceptable MAC algorithms. Nope. You are told what to use when you are issued the token. That's as far as my requirements go (and this spec is based directly on my current project). EHL > I think an OAuth2 token response for a MAC scheme should contain the > same information as the WWW-Authenticate response header for the MAC > scheme, plus the credentials to use (id & secret) and the OAuth2-specific > lifetime management bits (eg how/when to refresh). We should explicitly > define (in core) how to put a WWW-Authenticate header into a token > response. > > -- > James Manger > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
