Eran,
>>> What does scheme=basic mean [in a token response]?
> But that has the same security properties as bearer.
True.
>> Keeping [type and scheme] separate...
>> It just means we need another registry (of token_types, with associated
>> procedures); and we need an extra spec for each authen
When a client app gets an OAuth2 token response it needs to know what to do
next. In particular, which authentication *protocol* it should use with the
received credential. I thought this was what token_type was designed for, hence
my suggestion that it hold an HTTP authentication scheme name.
Each scheme will have an RFC and will get proper review. If there is consensus
for a new scheme, the rest doesn't matter. And being able to reuse these
schemes without having to use a confusing OAuth2 scheme is a big benefit.
EHL
> -Original Message-
> From: Marius Scurtescu [mailto:msc
On Mon, Dec 6, 2010 at 12:43 PM, Eran Hammer-Lahav wrote:
>
>
>> -Original Message-
>> From: Marius Scurtescu [mailto:mscurte...@google.com]
>> Sent: Monday, December 06, 2010 11:57 AM
>> To: Eran Hammer-Lahav
>> Cc: Manger, James H; oauth@ietf.org
>> Subject: Re: [OAUTH-WG] OAuth 2.0 Bear
> -Original Message-
> From: Marius Scurtescu [mailto:mscurte...@google.com]
> Sent: Monday, December 06, 2010 11:57 AM
> To: Eran Hammer-Lahav
> Cc: Manger, James H; oauth@ietf.org
> Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01
>
> On Sun, Dec 5, 2010 at 10:34
On Sun, Dec 5, 2010 at 10:39 PM, Eran Hammer-Lahav wrote:
> The argument was, since these are basic credentials, they should be used in
> the native HTTP method using the header. But since that is not as simple as a
> pair of parameters, we ended up with both. The easy way and the right way.
No
On Sun, Dec 5, 2010 at 3:27 PM, Manger, James H
wrote:
> Marius,
>
>> How about:
>> - keeping the scheme "OAuth2", for both WWW-Authenticate and Authorization
>> - define both as name/value pairs (WWW-Authenticate is already)
>> - require that one of the pairs be "type="
>>
>> For example:
>> WWW-
On Sun, Dec 5, 2010 at 10:34 PM, Eran Hammer-Lahav wrote:
> This is not how most HTTP authentication frameworks work (that was the
> conclusion from my HTTP Token scheme proposal a year ago). Most frameworks
> rather switch on the scheme name, not on a parameter inside the header.
The alternati
With the core drafts finally settling in, I think it's time for the WG
to look into a widely-used usecase of OAuth 1.0 that's not currently
addressed directly by OAuth2: classical 2-legged OAuth 1.0, or tokenless
signed http fetch.
People use this method today to replace developer key credentials
Is there a real downside to making them both optional with availability
specified by the AS? I have a feeling that's what we're going to end up
with in the wild anyway. That is to say, frameworks that can't dig deep
enough into HTTP to get to the Basic credentials just won't support that
method, ev
10 matches
Mail list logo
