As far as I know, OAuth 1.0a did not support bearer tokens.
Sure it did. Not cleanly (the RFC version fixed that) but since there is no
requirement to have a token secret, the PLAINTEXT method could easily be
used as a bearer token.
And what about the consumer secret? Isn't that required?
I think your concerns about exposing tokens included in the URI query are
justified, but it is far less complicated than you portrait it. Initially,
OAuth calls made by the browser are more likely to happen through JS code
requesting JSON data than the browser opening a web page using OAuth as
access control.
If OAuth ever gets to the point where it replaces Basic auth in the browser,
or used instead of other cookie-based authentication systems, it will gain
native browser support which will use the header exclusively. Until then, JS
code cannot make OAuth requests without other ways to send the token.
As far as I know, JavaScript code can set headers, incl. Authorization
Headers, using the operation setRequestHeaders of the XMLHttpRequest
object
(https://developer.mozilla.org/en/XMLHttpRequest#setRequestHeader%28%29). Browser
support would be much better (and would make it easier) but is not
required.
Facebook and Yahoo! (as an example) have about 400-500 million users today.
They want to deploy OAuth 2.0 within a few months. Clearly expecting these
users to upgrade their browser to a version not likely to be available for a
year isn't practical.
Impressive numbers! I'm eager to learn the usage scenario which directly
involves the browser and requires query parameters. Here at Deutsche
Telekom we operate a token service based on a combination of OAuth 1.0a
and proprietary mechanisms with a charactiericts similar to OAUTH2. We
use this service to secure internet products for the german customers
(>40 million). Service requests use Authorization headers only (e.g.
for security reasons). I would like to learn whether we missed something.
How about a Twitter client written completely in JS running the browser?
Widgets loading OAuth-protected data in a social network page? There are
plenty of such examples.
See above, JavaScript code can set Authorization headers.
Nevertheless, from my point of view, examples discussed in thread
"Limiting signed requests to use the Authorization request header"
justify both bearer tokens as well as signed tokens as URI Query Parameters.
I still don't see justification for Form-Encoded Body Parameters.
regards,
Torsten.
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
