On Thu, Aug 12, 2021 at 02:17:24PM -0600, Brian Campbell wrote: > It might be worth a mention but I'm always a little hesitant about > potentially repeating content from other specs (and maybe even getting it > wrong!). Maybe a very brief mention along with a pointer to that section in > RFC 7235 would be appropriate? I'm curious what other WG folk think about > this though?
Brief mention + reference seems good to me. > FWIW, https://datatracker.ietf.org/doc/html/rfc7235#section-4.1 does say > "the [WWW-Authenticate] header field itself can occur multiple times." Yes, both this and the implication to offer both challenges should be unsurprising to people fully steeped in the workings of HTTP (which one assumes does not cover anywhere close to all people that will be looking at DPoP). -Ben P.S. If you want to become a person steeped in the workings of HTTP, https://datatracker.ietf.org/doc/draft-ietf-httpbis-semantics/ is a pretty good place to start. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
