On 2011-10-12 02:06, Manger, James H wrote:
> 2. The ABNF for <credentials> does not comply with RFC 2617 "HTTP
Authentication".
So where are we on this? Any progress?
Some progress.
draft-ietf-oauth-v2-bearer-09 defines the “Authorization: Bearer ...”
request header to match draft-ietf-httpbis-p7-auth. It uses <b64token>
for the access token.
The spec is not quite right as it also includes a comma-separated list
of name=value pairs <#auth-param> as another option for the header,
without any hint about how this works for the Bearer scheme.
Still to do:
Change
credentials = "Bearer" 1*SP ( b64token / #auth-param )
to
credentials = "Bearer" 1*SP b64token
...
I'd like to point out that we added b64token in HTTPbis in order to
grandfather Basic and Digest; it's really not designed for new schemes.
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-16.html#rfc.section.2.3.1>
says:
"The "b64token" notation was introduced for compatibility with existing
authentication schemes and can only be used once per
challenge/credentials. New schemes thus ought to use the "auth-param"
syntax instead, because otherwise future extensions will be impossible."
So be aware that by choosing b64token, you are closing the door for any
kind of extensibility here. (Note that this isn't a matter of taste, but
directly follows from syntax requirements for parsing the header field)
Best regards, Julian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth