Hi all,
I'm currently thinking about the integration of existing HTTP
authentication schemes with OAuth 2.0 for the purpose of end-user
authentication on the tokens endpoint. Possible candidates are "Digest"
for challenge-response-based username/password authentication and
"Spnego" for Kerberos-based authentication. Direct support for both
could be beneficially in enterprise and other security sensitive
deployments.
An direct integration with the tokens endpoint would allow to leverage
existing implementations and infrastructure for OAuth/HTTP-based
architectures. For example, HTTPClient has direct support for
Spnego-Authentication.
Both HTTP authentication schemes use dedicated WWW-Authenticate and
Authorization headers for passing credential and other data between
client and server. OAuth in contrast uses grant types to indicate the
authentication method, credentials are passed as URI query parameters
and it lacks any discovery of available authentication methods/ grant
types.
How could one integrate existing schemes into that design? What is our
story? Do we need to define a special grant type "HTTP authorization"?
Shall Authorization headers overrule URI parameters?
Any ideas of the WG are higly appreciated.
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
