Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments

Wed, 12 Oct 2011 07:32:36 -0700 

Draft 09 allows either b64token or auth-params.  Unless there's a working group 
consensus that this must change, both syntax options will be supported.

                                -- Mike

-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of 
Julian Reschke
Sent: Wednesday, October 12, 2011 2:21 AM
To: Manger, James H
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments

On 2011-10-12 02:06, Manger, James H wrote:
>> > 2. The ABNF for <credentials> does not comply with RFC 2617 "HTTP
> Authentication".
>
>>  So where are we on this? Any progress?
>
> Some progress.
>
> draft-ietf-oauth-v2-bearer-09 defines the "Authorization: Bearer ..."
> request header to match draft-ietf-httpbis-p7-auth. It uses <b64token> 
> for the access token.
>
> The spec is not quite right as it also includes a comma-separated list 
> of name=value pairs <#auth-param> as another option for the header, 
> without any hint about how this works for the Bearer scheme.
>
> Still to do:
>
> Change
>
> credentials = "Bearer" 1*SP ( b64token / #auth-param )
>
> to
>
> credentials = "Bearer" 1*SP b64token
> ...

I'd like to point out that we added b64token in HTTPbis in order to grandfather 
Basic and Digest; it's really not designed for new schemes.

<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-16.html#rfc.section.2.3.1>
says:

"The "b64token" notation was introduced for compatibility with existing 
authentication schemes and can only be used once per challenge/credentials. New 
schemes thus ought to use the "auth-param" 
syntax instead, because otherwise future extensions will be impossible."

So be aware that by choosing b64token, you are closing the door for any kind of 
extensibility here. (Note that this isn't a matter of taste, but directly 
follows from syntax requirements for parsing the header field)

Best regards, Julian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to