How would use differentiate between the username and password profile and the client credentials profile, if you are using Basic or Digest?
EHL On 4/17/10 1:10 AM, "Torsten Lodderstedt" <[email protected]> wrote: I support the idea to use standard HTTP auth mechanisms for authentication on the authorization server endpoint. From a design standpoint this is just an API - which we cannot to protect via OAuth tokens because it issues these tokens. But we can use HTTP standard authorization mechanisms (and headers) as BASIC or DIGEST to authenticate the callers. This gives implementations the option to use other mechanisms (like SPNEGO or CERT). And as James pointed out, there might (will in our case) other requests on this endpoint used to provide additional services via other HTTP methods, e.g. DELETE. Moreover, standard authn modules (as in HTTPClient) can directly be used to implement access to OAuth authorization servers. I would recommend to separate functional API parameters, like callback url, and authorization data. regards, Torsten. Am 17.04.2010 06:52, schrieb Manger, James H: Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints > This has nothing to do with it. There is no PUT and DELETE or POST with > non-form body when *requesting a token*. It is relevant. I don't want to authenticate direct client requests *only* when they *request a token*. Clients might make any variety of direct requests unrelated to OAuth. There might even be other OAuth-related requests from clients to an authorization server in future (eg get meta data, or delete a token; even refreshing a token might be better as a GET). I want to be able to use the same client auth mechanism, and same client credentials, for all these calls. Some of these calls might be PUTs, DELETEs, non-form POSTs, GETs etc. even if requesting (& refreshing) a token is always a form POST. Hence client_secret as a POST parameter when requesting a token is a poor design. It should be perfectly valid (and not uncommon I expect) for a service to support OAuth for user delegation, but not use OAuth for making all direct client calls token-based - these address quite different issues. Other services might use short-term refreshable tokens when clients (on their own behalf) access less trusted "content" service, but will use "normal" auth when clients talk to the trusted account/authorization system.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
