I have removed the extension of the OAuth Parameters registry in
draft-ietf-oauth-v2-bearer-04, per your feedback Peter.
-- Mike
-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Peter
Saint-Andre
Sent: Saturday, March 26, 2011 6:56 AM
To: Eran Hammer-Lahav
Cc: OAuth WG
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt
>> 15. Section 10.2.1 says:
>>
>> Parameter usage location:
>> The location(s) where parameter can be used. The possible
>> locations are: authorization request, authorization response,
>> token request, or token response.
>>
>> Are those the only allowable locations? I notice that the bearer
>> token spec adds a locations of "resource request" and "resource
>> response". I'm not quite saying we need a registry of locations, but
>> it might be good to have a well-defined way of adding to the list of
>> allowable locations (otherwise a document like the bearer spec might
>> need to say that it updates the base spec).
>
> The bearer token proposal to extend the locations available is in violation
> of the protocol and specification architecture. It is just a really bad idea.
> Specifically, the idea of any registry defining HTTP URI query request
> parameters is a violation of the provider's namespace. We can define a
> registry for OAuth endpoints but not for protected resources which may not
> even support any URI query or form-encoded body parameters. Doing so would
> REQUIRE updating 2616.
>
> There are no use cases or requirements for extending the locations and no
> extensibility is needed.
So will draft-ietf-oauth-v2-bearer be fixed?
Peter
--
Peter Saint-Andre
https://stpeter.im/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
