On Tue, Jan 25, 2011 at 9:59 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > Simply because authentication is not what OAuth is about. > > OAuth is an authorization protocol for issuing access tokens. Access tokens > can have different properties and therefore need different schemes. I was the > first to suggest a scheme with sub-schemes but that idea was strongly > rejected (over a year ago). Since then I came to the same conclusion that the > proper way is to define separate authentication schemes. It is also how most > HTTP authentication framework operate. > > One benefit to this approach is that HTTP authentication already covers the > discovery of which schemes are supported by the resource server, as well as > token schemes can be used independently from OAuth, something the 2-legged > OAuth 1.0 has shown has great value. Also, it keeps the protocol modular > which enable providers to tailor it to their security needs. > > OAuth 2.0 is authentication agnostic and must remain so. It is an > authorization protocol and as such has no business defining authentication > mechanisms. > > For this reason, I object to using the OAuth2 scheme name with the bearer > token scheme. It's a "trademark" issue.
I can definitely see your point, but look at the end result. OAuth is useless with an authentication mechanism so now a bunch of similar authentication mechanisms are reinvented in related specifications. All geared to work with OAuth 2, none of them really trying to define something generic. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
