Extensibility in authentication schemes is a bad thing, given how they are deployed and the difficulty of changing them. No existing authentication scheme is extensible (explicitly).
EHL > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Marius Scurtescu > Sent: Friday, June 10, 2011 10:39 AM > To: John Kemp > Cc: paul Tarjan; OAuth WG > Subject: Re: [OAUTH-WG] consistency of token param name in bearer token > type > > On Fri, Jun 10, 2011 at 9:34 AM, John Kemp <j...@jkemp.net> wrote: > > George, > > > > On Jun 10, 2011, at 4:11 PM, George Fletcher wrote: > > > >> I definitely don't want to change the Authorization header naming > scheme. I believe it should stay 'Bearer' because that's what the token is. We > could make it... > >> > >> Authorization: Bearer access_token=vF9dft4qmT > >> > >> If that helps with consistency. > > > > Well, it might seem more consistent, but I'm not sure it's worthwhile to > make the change just for that reason. > > > > Is it possible that the Bearer HTTP mechanism would ever take multiple > parameters? In which case, having the ability to name the parameters of the > Bearer mechanism might become more interesting. > > Hard to say, but using a proper name/value pair has several advantages: > - permits extensibility > - no need to limit or define character set of access tokens (name is either > "token" or "quoted string") > - HTTP header parsers can properly deal with name/value pairs > > If we make changes to the GET/POST parameter name then I think we > should also consider the header as well. > > Marius > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
