[this has noting to do with realm] Any solution should be:
- Extensible - we removed the few discovery parameters from the core spec due to lack of maturity and consensus. However, we clearly have enough strong interest in reintroducing them as extensions. The WWW-Authenticate header is the natural place to include them. - Human-friendly - I think being able to look at the header and immediately see what it means is useful. Is there a JSON profile suitable for inclusion in HTTP headers? I would like to avoid BASE64 when a person is likely to take a look at the header. Otherwise debugging and command line interaction become impractical. On top of that, I am still not sure about the best way to accommodate both a signed and unsigned requests, but the idea of a two separately defined schemes isn't appealing (not having two, just defining them in two different places). As for the scheme name, I have changed my mind about using 'Token' and am now proposing 'OAuth'. The reason for that is that the current scheme extensibility is directly linked to the OAuth protocol (for example, 'scope' parameter). This voids my claim that it is a completely orthogonal scheme. Because we are not using the 'oauth_' prefix, telling the difference is trivial and there is no need to include a version parameter (since 2.0 is marking 1.0 as obsolete). So if you can suggest a scheme syntax that accommodates the above, and is based on JSON, I'm very supportive. EHL On 7/10/10 11:55 PM, "Brian Eaton" <bea...@google.com> wrote: On Sun, Jun 27, 2010 at 6:51 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > 1. Leave it as required under the definition of RFC 2617 (i.e. provide no > help, developers will need to ready 2617 and figure out what to do with it). > > 2. Update 2617 to remove the requirement - this is not going to be easy or > possible to predict success. > > 3. Provide specific guidance as to what to do with the realm parameter. > > 4. Something else. Let's do something else. We've made great progress on simplifying the spec and unifying the different formats to minimize the number of parsers and serializers that are needed. The www-authenticate header is one of the bits of nastiness left. Let's use a format like this: WWW-Authenticate: OAuth2 base64(<json>) Or even just: WWW-Authenticate: OAuth2 Seriously. There is some precedent for this. The Negotiate and NTLM schemes ditched the name="value" syntax, and they are widely implemented. This demonstrates two things: 1) dropping the name="value" syntax won't break the internet, because widely deployed schemes have already done it. 2) "realm" is not necessary in order to have a successful authentication protocol. As far as I can tell, there is no good reason for RFC 2617 to specify the syntax it does. It's convenient for digest auth, and kind of a pain everywhere else. So let's just drop it. Cheers, Brian
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth