What about a use case where the signature will be generated by one component but the request will be redeemed by another?
For example, suppose there is a cross-domain JSONP call that requires authorization; in this case, I might have my client side code hit *my* origin server, obtain a signed URL, and then redeem it by hitting the JSONP resource. This has scaling advantages over having my origin proxy an OAuth request, and doesn't require me to have keys located on the client; I can keep them safely in my data centers. In this case, sending a "ready to redeem" signed request using the query parameter mechanism simplifies the client-side code. Furthermore, in this use case (cross-domain script inclusion), the client doesn't have the means to set the Authorization header (it can only include a <script> element with a URL). A similar use case would be if you wanted to provide signed redirects (similarly useful for cross-domain functionality); browsers aren't going to modify the redirect URL they get back, or add an Authorization header to it. Jon ........ Jon Moore Comcast Interactive Media -----Original Message----- From: [email protected] on behalf of Eran Hammer-Lahav Sent: Wed 3/31/2010 12:20 AM To: OAuth WG Subject: [OAUTH-WG] Limiting signed requests to use the Authorizationrequest header Since we have consensus that using signed requests is a more advance use case and will be used by more experienced developer, I would like to suggest we limit sending signed request parameters to the Authorization header (no URI query parameters or form-encoded body). This will not change the ability to send the oauth_token parameter in the query or body when using bearer tokens (as well as in the header). It will only apply to sending signed requests. The makes client request parameter much simpler as the only parameter "invading" the URI or body space of the request is oauth_token. Anything else is limited to the header. Thoughts? If you are not a fan, please reply with a use case. EHL _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
