I think you are correct - there should be only one scheme per header.
However, there is an issue that a particular token type may be used outside of
OAuth and then it may also be used within OAuth at the same time. So you do
have to list protocols twice. I believe Eran had mentioned an approach
that's not the way WWW-Authenticate headers are used today. Instead the
resource server should return a single WWW-Authenticate header _per_
supported authentication scheme, such as
WWW-Authenticate: MAC realm="somerealm"
WWW-Authenticate: BEARER realm="somerealm"
furthermore, I think interdep
+1 for option 3, but would be fine with option 1, too
Both are quite similar, except 3 keeps the link between the OAuth
authorization server API (how to get a token) and the HTTP schemes used
to send the tokens to the resource servers. Since OAuth is becoming, in
my perception, the synonym for
I'm confused. Can you cut-and-paste the problematic text?
From: William Mills [mailto:wmi...@yahoo-inc.com]
Sent: Saturday, February 05, 2011 8:42 AM
To: Eran Hammer-Lahav; OAuth WG
Subject: RE: draft-hammer-oauth-v2-mac-token-02
Reading through and looking at your example in 1.1 I think you don'
Reading through and looking at your example in 1.1 I think you don't have
enough lines. Your text specified 9 elements to be signed, but you only have 7
lines in the text to be signed. The way I read the text you should have 9
elements followed by newlines, which can be empty, but the newlines
In "4.1.2.1. Error Response" it says:
If the resource owner denies the access request or if the request
fails for reasons other than a missing or invalid redirection URI,
the authorization server informs the client by adding the following
parameters to the query component of the redirectio
