Am 20.04.2010 05:06, schrieb Dick Hardt:
On 2010-04-19, at 9:25 AM, Eran Hammer-Lahav wrote:
2. Server requires authentication
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Token realm='Example', scope='x2'
Can more than one scope be returned? Is it a comma delimited list?
I wonder how much value this will provide. (I like the idea, but teasing out
the implications.)
Imagine we have a resource that can have READ or WRITE access granted.
An unauthenticated GET on the resource could return the scope URI needed for
READ, an unauthenticated PUT on the resource could return the scope URI for
WRITE. What if you want to both do READs and WRITEs? There may be another scope
that is READ/WRITE. READ and WRITE are pretty common capabilities, but one can
imagine much more complex capabilities at resources.
The exact semantics to the resource are likely going to very contextual.
Given that, returning a single scope value if that is all that makes sense to
the resource will likely address many use cases.
I also think, the WWW-Authenticate header should only contain the scope
required for the particular request. The get the whole picture of
scope/request relations, the resource server could offer some kind of
discovery.
regards,
Torsten.
(+1 to Eran's proposal given all the other factors)
-- Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
