If the challenge uses the OAuth2 scheme, and the client tries OAuth2-Bearer to authenticate and fails, which scheme should the server use in its reply to include an error message? OAuth2, OAuth2-Bearer, both?
EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Manger, James H > Sent: Thursday, October 14, 2010 10:10 PM > To: [email protected] > Subject: Re: [OAUTH-WG] Call for Consensus on Document Split > > Eran, > > > How would you suggest we define a general purpose www-authenticate > > header that does not have a matching request header? > > Why would that be a problem? > We define what a "WWW-Authenticate: OAuth2 ..." response header > means, but don't define any meaning for a "Authorization: OAuth2 ..." > request header. > No other scheme should define a meaning for "Authorization: OAuth2 ...". > Consequently, the bearer token spec need to choose a different scheme > name (eg "BEARER" or "TOKEN" or "EXTERNAL") so it can define request & > response headers. > > There is even some precedent for this. draft-broyer-http-cookie-auth > defines "WWW-Authenticate: COOKIE ...", without any matching request > header. > I think there have also been ideas to define something like "WWW- > Authenticate: TLS ..." to indicate when authentication at a lower layer (TLS, > IPsec) is required. Again there was no matching "Authorization: TLS ..." > header. > > -- > James Manger > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
