> But an unguessable header name is *simple* and effective and works right now > with widely implemented functionality.
You mean like admin/admin for administrator access? There is no such thing as an unguessable name. You claim the name will never be exposed to untrusted parties. How so? You are now telling administrators to treat a *name* as securely as they treat a *key* (or password). If it must be protected like key material, then use it like key material. The proxy-backend should be TLS, ideally authenticating the proxy. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
