>>> Perhaps omitting the id parameter from the Authorization header >>> would be an even better approach [when a cookie provides the key id]
>> Yeah, I've often wondered whether we should remove the id parameter >> from the Authorization header. My understanding is that it plays some >> important role in the OAuth instantiation of the protocol. There's also the >> question about what to do when you have multiple cookies with MAC >> attributes. In that case, having the id to disambiguate seems useful. > With OAuth 2.0, the id is the access token. With cookies, it makes it clear > which MAC cookie is > > being used. It's required. How does the server know if a particular request with a "Authorization: MAC ..." header is using credentials from OAuth 2.0 or from Set-Cookie? P.S. id=<cookie-name> is not ideal for indicating which MAC cookie is being used as there can be multiple cookies with the same cookie-name (eg set from sibling domains). -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
