Since we have consensus that using signed requests is a more advance use case and will be used by more experienced developer, I would like to suggest we limit sending signed request parameters to the Authorization header (no URI query parameters or form-encoded body).
This will not change the ability to send the oauth_token parameter in the query or body when using bearer tokens (as well as in the header). It will only apply to sending signed requests. The makes client request parameter much simpler as the only parameter "invading" the URI or body space of the request is oauth_token. Anything else is limited to the header. Thoughts? If you are not a fan, please reply with a use case. EHL _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
