The Authorization header in those examples is authorizing the client. In 4.1.3 the /token URI requires HTTP basic authorization to access.
Section 2.4 talks about this more. -Bob On Mon, Jul 25, 2011 at 9:27 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > In sections 4.1.3, 4.3.2, 4.4.2, and 6 of draft -20, the examples contain > both the line “Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW” and > credentials in the post body. For instance, the example from 4.3.2 is: > > > > POST /token HTTP/1.1 > > Host: server.example.com > > Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW > > Content-Type: application/x-www-form-urlencoded;charset=UTF-8 > > > > grant_type=password&username=johndoe&password=A3ddj3w > > > > I believe that the “Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW” line > should be deleted from all of these examples, as you either use Basic or > credentials in the post body, but not both. > > > > Thanks, > > -- Mike > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
