On Sun, Dec 5, 2010 at 10:39 PM, Eran Hammer-Lahav <[email protected]> wrote: > The argument was, since these are basic credentials, they should be used in > the native HTTP method using the header. But since that is not as simple as a > pair of parameters, we ended up with both. The easy way and the right way.
Not sure why is native HTTP the right way. Just because they are basic credentials? So is the username+password in the profile with the same name. > From implementing it, my experience has been that it can be hard to deal with > Basic in the context of another authentication class. Since OAuth and Basic > are usually two classes provided by the same authentication layer, having one > use the other can lead to tricky architecture. This trivial to implement in a > clean environment, but a bit messy when adding to an existing framework. The other complication comes from the fact that the server has to send an error response differently, based on how the credentials were sent. I really don't see the point for all this complication. I asked a few of the early OAuth 2 implementors, most don't implement the HTTP method at all, one implements it but only for the sake of the spec. If most implementors do not find this feature useful then I think it should be removed from core. Just to keep things simple. It can always be added as an extension. Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
