On Sun, Feb 6, 2011 at 4:26 AM, Manger, James H <
james.h.man...@team.telstra.com> wrote:
> Dirk said:
>
> > FWIW, I agree with Brian - it [the “Bearer” scheme] should say OAuth
> somewhere, because it's an OAuth token.
>
>
>
> OAuth can deliver any variety of bearer token: SAML, JWT, SWT, opaque
Eran,
>> 16. OAuth2 can provide a "secret" as a Unicode string. MAC algorithms such
>> as HMAC use a key that is a byte array. Section 2 of the MAC spec says
>> 'secret'
>> can only include printable ASCII chars (except " and /). This is not quite
>> right.
>> The MAC scheme should expect 'secret
Eran,
>> 13. The MAC algorithm should be explicitly indicated in the request, instead
>> of being implied by the access-token/id. I suggest including an "algorithm"
>> parameter in the "Authorization" request header. I also suggest including an
>> "algorithms" parameter in the "WWW-Authenticate" r
Phil Hunt said:
> The only other issue would be determining whether the token is obtained via
> an OAuth profile or > via some default profile. That could be handled with
> something like:
>
> WWW-Authenticate: Basic realm="somerealm"
> WWW-Authenticate: MAC realm="somerealm"
> WWW-Authenticate:
Dirk said:
> FWIW, I agree with Brian - it [the "Bearer" scheme] should say OAuth
> somewhere, because it's an OAuth token.
OAuth can deliver any variety of bearer token: SAML, JWT, SWT, opaque id,
anything else.
Conversely, any of these tokens can come from a variety of sources: a
user-del
Brian said:
> How do we reconcile "Bearer" with "Negotiate", "NTLM", "Basic", and
> "GoogleLogin"? All of those examples are widely deployed and use
> bearer tokens in Authorization headers. Should all of those switch to
> using the "Bearer" scheme as well?
"Basic" & "NTLM" are password schemes;
