MAC is clearly trying to define something generic and includes an OAuth binding. I think the bearer token is the exception of something completely useless outside of OAuth, but that doesn't mean it uselessness should promote it to the canonical authentication scheme, all of which was already dealt with when we split it out.
EHL > -----Original Message----- > From: Marius Scurtescu [mailto:mscurte...@google.com] > Sent: Wednesday, January 26, 2011 1:23 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Bear token scheme name > > On Tue, Jan 25, 2011 at 9:59 PM, Eran Hammer-Lahav > <e...@hueniverse.com> wrote: > > Simply because authentication is not what OAuth is about. > > > > OAuth is an authorization protocol for issuing access tokens. Access tokens > can have different properties and therefore need different schemes. I was > the first to suggest a scheme with sub-schemes but that idea was strongly > rejected (over a year ago). Since then I came to the same conclusion that the > proper way is to define separate authentication schemes. It is also how most > HTTP authentication framework operate. > > > > One benefit to this approach is that HTTP authentication already covers the > discovery of which schemes are supported by the resource server, as well as > token schemes can be used independently from OAuth, something the 2- > legged OAuth 1.0 has shown has great value. Also, it keeps the protocol > modular which enable providers to tailor it to their security needs. > > > > OAuth 2.0 is authentication agnostic and must remain so. It is an > authorization protocol and as such has no business defining authentication > mechanisms. > > > > For this reason, I object to using the OAuth2 scheme name with the bearer > token scheme. It's a "trademark" issue. > > I can definitely see your point, but look at the end result. OAuth is useless > with an authentication mechanism so now a bunch of similar authentication > mechanisms are reinvented in related specifications. > All geared to work with OAuth 2, none of them really trying to define > something generic. > > > Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
