Simply because authentication is not what OAuth is about. OAuth is an authorization protocol for issuing access tokens. Access tokens can have different properties and therefore need different schemes. I was the first to suggest a scheme with sub-schemes but that idea was strongly rejected (over a year ago). Since then I came to the same conclusion that the proper way is to define separate authentication schemes. It is also how most HTTP authentication framework operate.
One benefit to this approach is that HTTP authentication already covers the discovery of which schemes are supported by the resource server, as well as token schemes can be used independently from OAuth, something the 2-legged OAuth 1.0 has shown has great value. Also, it keeps the protocol modular which enable providers to tailor it to their security needs. OAuth 2.0 is authentication agnostic and must remain so. It is an authorization protocol and as such has no business defining authentication mechanisms. For this reason, I object to using the OAuth2 scheme name with the bearer token scheme. It's a "trademark" issue. EHL > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Marius Scurtescu > Sent: Tuesday, January 25, 2011 6:26 PM > To: Mike Jones > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Bear token scheme name > > On Wed, Jan 19, 2011 at 10:10 AM, Mike Jones > <michael.jo...@microsoft.com> wrote: > > I'd like a sense from the working group whether others want this > > change, and if so, what the name should be changed to. > > Probably this was debated, but I will ask again. > > Why can't we use "OAuth2" as the scheme in all cases and require a > token_type name/value pair? > > Is it wise to dump lots of new schemes in a name space we do not control? > > Marius > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
