>> On Jan 18, 2011, at 11:13 PM, Eran Hammer-Lahav wrote:
>>
>>> OAuth is an authorization protocol not an authentication protocol. With the
>> exception of the client password credentials passed in the form-encoded
>> body, the protocol is completely authentication agnostic for both client
>> aut
On Jan 18, 2011, at 11:13 PM, Eran Hammer-Lahav wrote:
> OAuth is an authorization protocol not an authentication protocol. With the
> exception of the client password credentials passed in the form-encoded body,
> the protocol is completely authentication agnostic for both client
> authentica
Could you clarify what the "confusing mess" part is? The cited reference [1] is
not useful.
It is good to adhere to the challenge-response model of 2617 for wider
interoperability and discoverability (yes, WWW-Authenticate with a well-known
scheme name helps discovery and lack thereof reduces p
, 2010, at 11:26 AM, Eran Hammer-Lahav wrote:
> Using form-encoding to encode the URI query is well established and directly
> based on the media type rules. No further specification is needed.
>
> EHL
>
>> -Original Message-
>> From: Subbu Allamaraju [mail
#x27;s still a draft.
>
> EHL
>
>> -Original Message-
>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
>> Of Subbu Allamaraju
>> Sent: Wednesday, December 01, 2010 2:05 PM
>> To: OAuth WG
>> Subject: [OAUTH-WG] Comment on &#
Here is some feedback on the use of the 'application/x-www-form-urlencoded'
media type in the latest drafts (10 or 11).
The draft refers to the 'application/x-www-form-urlencoded' media type for
encoding parameters into the query component of URIs. For instance, see 4.1 in
draft 11 has
"In ord
Could you point which part of the spec specifies this (am looking at draft 10)?
In any case, I would expect the auth server to include the scopes granted in
the access token response to avoid any ambiguity.
On Nov 29, 2010, at 8:40 AM, Eran Hammer-Lahav wrote:
> #2. Asking for scope on the acce
On Mar 25, 2010, at 9:55 AM, Brian Eaton wrote:
> On Thu, Mar 25, 2010 at 6:09 AM, Subbu Allamaraju wrote:
>> Just curious - why can't the client check the Date header?
>
> Yes, that works, but lots of clients don't realize it is possible.
In other words, this is par
Just curious - why can't the client check the Date header?
Subbu
On Mar 24, 2010, at 6:26 PM, Paul Lindner wrote:
Right now if a client with an inaccurate clock makes an OAuth call
they are rejected. OAuth Problem Reporting includes a mechanism to
send the server's concept of 'now' to t
