Re: [OAUTH-WG] Removal: credential body parameters

2011-01-18 Thread Eran Hammer-Lahav
Hammer-Lahav Cc: OAuth WG Subject: Re: [OAUTH-WG] Removal: credential body parameters That's true, but combining existing schemes with user credentials sent in the request body creates other problems (as you already stated). And most existing schemes are used for user authentication these

Re: [OAUTH-WG] Removal: credential body parameters

2011-01-18 Thread Torsten Lodderstedt
v *Cc:* OAuth WG *Subject:* Re: [OAUTH-WG] Removal: credential body parameters Where do you see the conflict? In my proposal, user and client credentials are combined into one Authorization header. But the same holds for request parameters. I don't know whether combining credentials in request

Re: [OAUTH-WG] Removal: credential body parameters

2011-01-18 Thread Eran Hammer-Lahav
-Lahav Cc: OAuth WG Subject: Re: [OAUTH-WG] Removal: credential body parameters Where do you see the conflict? In my proposal, user and client credentials are combined into one Authorization header. But the same holds for request parameters. I don't know whether combining credentials in re

Re: [OAUTH-WG] Removal: credential body parameters

2011-01-18 Thread Torsten Lodderstedt
ation using, say, Basic or Digest? Seems like a complex framework for combining schemes into one header. EHL *From:*Torsten Lodderstedt [mailto:tors...@lodderstedt.net] *Sent:* Sunday, January 16, 2011 10:55 AM *To:* Eran Hammer-Lahav *Cc:* OAuth WG *Subject:* Re: [OAUTH-WG] Removal: credential

Re: [OAUTH-WG] Removal: credential body parameters

2011-01-18 Thread Eran Hammer-Lahav
header. EHL From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] Sent: Sunday, January 16, 2011 10:55 AM To: Eran Hammer-Lahav Cc: OAuth WG Subject: Re: [OAUTH-WG] Removal: credential body parameters Hi Eran, you made some good points and I agree with most of your analysis. The way we

Re: [OAUTH-WG] Removal: credential body parameters

2011-01-18 Thread Marius Scurtescu
On Mon, Jan 17, 2011 at 7:55 AM, Richer, Justin P. wrote: > I absolutely don't want to drop credentials being passed as parameters. I > think that's more widely deployed than using the BASIC style auth as well. +1 I think it is way too late for drastic changes like this. As shown by existing im

Re: [OAUTH-WG] Removal: credential body parameters

2011-01-18 Thread Torsten Lodderstedt
..@ietf.org] On Behalf Of Torsten Lodderstedt [tors...@lodderstedt.net] Sent: Sunday, January 16, 2011 1:54 PM To: Eran Hammer-Lahav Cc: OAuth WG Subject: Re: [OAUTH-WG] Removal: credential body parameters Hi Eran, you made some good points and I agree with most of your analysis. The way we use BASI

Re: [OAUTH-WG] Removal: credential body parameters

2011-01-17 Thread Richer, Justin P.
e reasonable. -- Justin From: oauth-boun...@ietf.org [oauth-boun...@ietf.org] On Behalf Of Torsten Lodderstedt [tors...@lodderstedt.net] Sent: Sunday, January 16, 2011 1:54 PM To: Eran Hammer-Lahav Cc: OAuth WG Subject: Re: [OAUTH-WG] Removal: credential body

Re: [OAUTH-WG] Removal: credential body parameters

2011-01-16 Thread Torsten Lodderstedt
Hi Eran, you made some good points and I agree with most of your analysis. The way we use BASIC in the current draft is not perfect, mainly because it is a compromise. It was basically the attempt to be more HTTP compliant while still supporting the parameter-based approach. I would strongly