+1. James states two important requirements (don't stand in the way of dynamic
config, provide end-user authz endpoint at a minimum) we need to meet, whatever
we pick.
Eve
On 11 Jul 2010, at 6:12 AM, Manger, James H wrote:
> Brian,
>
>> Or even just:
>>
>> WWW-Authenticate: OAuth2
>>
>> Seriously.
>
> I seriously hope not.
> It gives no chance for a client to work with a service without being
> pre-configured with a whole lot of service-specific knowledge -- in addition
> to an app-id/password.
>
> I don't think a realm parameter adds much value to a "WWW-Auth.: OAuth2"
> header, other than complying with RFC2617. The header does need to provide an
> end-user authorization endpoint. Ideally, that one URI would be sufficient
> for the protocol to succeed (though currently you need to separately provide
> a token endpoint as well).
>
> --
> James Manger
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
Eve Maler
http://www.xmlgrrl.com/blog
http://www.twitter.com/xmlgrrl
http://www.linkedin.com/in/evemaler
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
