> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Manger, James H > Sent: Monday, January 10, 2011 9:45 PM > To: OAuth WG > Subject: Re: [OAUTH-WG] OAuth MAC token type draft > > >> - Authentication schemes > >> You propose to use the authentication scheme name "OAuth2" for the > >> WWW-Authenticate header but another scheme name "MAC" for the > >> authorization header. I've never seen such an asymmetric approach > before. > >> Don't you think people get confused about that? > > > This was proposed by James Manger and discussed earlier on the list. I'll > > let > James explain it. > > The MAC draft doesn't bother to define a "WWW-Authenticate: MAC ..." > response header because Eran is only interested in using MAC in conjunction > with OAuth2. > The server can say (in response to an unauthenticated request): "you can > use OAuth flows to be delegated access to this server". It says this with a > "WWW-Authenticate: OAuth2" response. This statement is not specific to > MAC. > > I think the MAC scheme should define its own "WWW-Authenticate: MAC > ..." response header. It might not be used by systems using OAuth2, but it > makes MAC a more complete standalone HTTP authentication mechanism.
I will consider adding it, but need to find a way that doesn't bring up the 'how to get a token' part if you are not using OAuth. EHL > > >> Moreover, the bearer draft > >> also uses the name "OAuth2" in the authorization header. Why this > >> difference? Why don't you just add some parameters to the "OAuth2" > >> scheme? > > The bearer draft should change to use its own scheme name (eg "BEARER") > in Authorization request headers. > > -- > James Manger > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
