While reading Eran's recent blog post [1] about clarifying certain requirements for OAuth service providers I remembered an old discussion about whether xoauth* parameters should be allowed to go in the Authorization header. As far as I can tell, the letter of the spec says they shouldn't. The spirit seems to say it's fine.
The definitions sections defines "OAuth Protocol Parameters" to be "Parameters with names beginning with oauth_." [2] Later in the spec, "Consumer Request Parameters" states "In addition to these defined methods, future extensions may describe alternate methods for sending the OAuth Protocol Parameters. The methods for sending other request parameters are left undefined, but SHOULD NOT use the OAuth HTTP Authorization Scheme header." [3] If you combine those two clauses, it sounds like oauth extensions aren't allowed to stick parameters in the Authorization header. That leads to some pretty funky looking requests, where some of the authentication parameters are stuck in the query and others end up in the Authorization header. Does anyone recall the rationale behind [2] and [3]? Are there going to be interop problems if extensions to OAuth use the Authorization header? Cheers, Brian [1] http://www.hueniverse.com/hueniverse/2009/03/clarifying-oauth-requirements-for-service-providers.html#more [2] http://oauth.googlecode.com/svn/spec/core/1.0/oauth-core-1_0.html#anchor3 [3] http://oauth.googlecode.com/svn/spec/core/1.0/oauth-core-1_0.html#consumer_req_param --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
