>> What happens if a 1.0 client receives a WWW-Authenticate header >> from a 2.0 protected resource with the 'OAuth' mechanism specified? >> Might it then attempt OAuth 1 with a 2.0 token service (and thus >> just fail without being able to know what went wrong)?
> There is no such thing. Since there is no discovery for 1.0, > all calls are hardcoded into the client today. > There is no 'trying things out'. There was "discovery" in OAuth 1: it was inadequate, but it was present in the spec. RFC 5849 "OAuth 1.0", section 3.5.1 "Authorization header" <http://tools.ietf.org/html/rfc5849#section-3.5.1> defines "WWW-Authenticate: OAuth realm=..." as indicating a server supports OAuth 1.0. Servers MAY indicate their support for the "OAuth" auth-scheme by returning the HTTP "WWW-Authenticate" response header field upon client requests for protected resources. As per [RFC2617], such a response MAY include additional HTTP "WWW-Authenticate" header fields: For example: WWW-Authenticate: OAuth realm="http://server.example.com/"; Perhaps it wasn't used much, but reusing the "OAuth" scheme to indicate support for OAuth2 is incompatible. It adds human confusion, regardless of any technical ability to distinguish OAuth 1 & 2. -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
