So this falls under the "who gets to define oauth_ parameters?" question. This will be easy moving forward as we can create an IANA registry to list extensions (which will have the benefit of some loose oversight over them to ensure interop). For now, people should seek wide consensus before minting new oauth_ parameters. No one should mint any xoauth_ parameters.
To my knowledge there aren't any final specs of any extension that use xoauth_ parameters. So any drafts out there should be corrected... EHL On 4/1/09 9:38 AM, "Brian Eaton" <[email protected]> wrote: While reading Eran's recent blog post [1] about clarifying certain requirements for OAuth service providers I remembered an old discussion about whether xoauth* parameters should be allowed to go in the Authorization header. As far as I can tell, the letter of the spec says they shouldn't. The spirit seems to say it's fine. The definitions sections defines "OAuth Protocol Parameters" to be "Parameters with names beginning with oauth_." [2] Later in the spec, "Consumer Request Parameters" states "In addition to these defined methods, future extensions may describe alternate methods for sending the OAuth Protocol Parameters. The methods for sending other request parameters are left undefined, but SHOULD NOT use the OAuth HTTP Authorization Scheme header." [3] If you combine those two clauses, it sounds like oauth extensions aren't allowed to stick parameters in the Authorization header. That leads to some pretty funky looking requests, where some of the authentication parameters are stuck in the query and others end up in the Authorization header. Does anyone recall the rationale behind [2] and [3]? Are there going to be interop problems if extensions to OAuth use the Authorization header? Cheers, Brian [1] http://www.hueniverse.com/hueniverse/2009/03/clarifying-oauth-requirements-for-service-providers.html#more [2] http://oauth.googlecode.com/svn/spec/core/1.0/oauth-core-1_0.html#anchor3 [3] http://oauth.googlecode.com/svn/spec/core/1.0/oauth-core-1_0.html#consumer_req_param --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
