Another +1 for "dynamic introduction". Putting the required details (eg user authz URI) in a 401 HTTP WWW-Authenticate header feels like a better approach to me than XRD in this instance.
At the moment in the OAuth 2 draft (and in WRAP) identical 401 responses can mean: 1. Send the user to an authz server to authorize you. 2. Make a request to another server to swap your long term credentials for temporary ones. 3. Refresh your credentials at another server. 4. Authentication failed, go away. This does not feel like a web-style approach. -- James Manger ---------- From: [email protected] [mailto:[email protected]] On Behalf Of John Panzer Sent: Monday, 22 March 2010 6:54 AM To: Eve Maler Cc: OAuth WG Subject: Re: [OAUTH-WG] First draft of OAuth 2.0 +1 to ensuring that dynamic introduction is possible. I see a lot of discussions that end up saying that this or that can be spec'd in the server docs and the client hard coded to the docs; this is fine for some features but not for very general ones that everybody needs to use. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
