>> - Authentication schemes >> You propose to use the authentication scheme name "OAuth2" for the >> WWW-Authenticate header but another scheme name "MAC" for the >> authorization header. I've never seen such an asymmetric approach before. >> Don't you think people get confused about that?
> This was proposed by James Manger and discussed earlier on the list. I'll let > James explain it. The MAC draft doesn't bother to define a "WWW-Authenticate: MAC ..." response header because Eran is only interested in using MAC in conjunction with OAuth2. The server can say (in response to an unauthenticated request): "you can use OAuth flows to be delegated access to this server". It says this with a "WWW-Authenticate: OAuth2" response. This statement is not specific to MAC. I think the MAC scheme should define its own "WWW-Authenticate: MAC ..." response header. It might not be used by systems using OAuth2, but it makes MAC a more complete standalone HTTP authentication mechanism. >> Moreover, the bearer draft >> also uses the name "OAuth2" in the authorization header. Why this >> difference? Why don't you just add some parameters to the "OAuth2" >> scheme? The bearer draft should change to use its own scheme name (eg "BEARER") in Authorization request headers. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
