Mike - I don't think that's true for the resource owner password
credentials flow that you showed below.
The Authorization header is authenticating the client, the
username/password POST body params represent the resource owner.
From: Mike Jones <michael.jo...@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: 26-07-11 02:31 PM
Subject: [OAUTH-WG] Extra "Authorization: Basic" lines in examples
Sent by: oauth-boun...@ietf.org
In sections 4.1.3, 4.3.2, 4.4.2, and 6 of draft -20, the examples contain
both the line “Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW” and
credentials in the post body. For instance, the example from 4.3.2 is:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=password&username=johndoe&password=A3ddj3w
I believe that the “Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW” line
should be deleted from all of these examples, as you either use Basic or
credentials in the post body, but not both.
Thanks,
-- Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
