Am 11.05.2010 01:43, schrieb Yaron Goland:
---
2. Client Authentication (in flows)
How should the client authenticate when making token requests? The
current draft defines special request parameters for sending client
credentials. Some have argued that this is not the correct way, and that the
client should be using existing HTTP authentication schemes to accomplish
that such as Basic.
A. Client authenticates by sending its credentials using special parameters
(current draft) B. Client authenticated by using HTTP Basic (or other schemes
supported by the server such as Digest)
[Yaron Goland] A is needed at a minimum because there are physical limitations
to how many bytes can go into an authorization header.
As far as I know, 4KB is the minimum size for headers that must be
supported by user agents, which should suffice from my point of view.
Moreover, other HTTP authentication mechanisms need much more than 4KB,
For example, SPNEGO authentication headers can be up to 12392 bytes.
regards,
Torsten.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
