> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Hannes Tschofenig > Sent: Thursday, February 03, 2011 12:16 AM > To: [email protected] > Subject: [OAUTH-WG] Hum about 'Removal: HTTP Basic Authentication for > Client Credentials' > > Hi all, > > Eran suggested to remove the HTTP Basic Authentication functionality > from the specification in his mail from last month: > http://www.ietf.org/mail-archive/web/oauth/current/msg05028.html > > Essentially, there are two ways to accomplish the same functionality, > namely (1) Request parameters and (2) HTTP Basic authentication. > > Eran's initial discussion trigger very quickly evolved a discussion > about the removal of 'credential body parameters': > http://www.ietf.org/mail-archive/web/oauth/current/msg05035.html > This was, however, not supported by Justin, Eran, and Marius. > > The main question for me is: "What is mandatory to implement?"
Nothing. The authorization server can support whatever client authentication methods it deems appropriate. *IF* client password credentials are supported, then the spec offers one way to provide them using parameters. The reason why this is not that important is that there is no real interop as it currently stands because the process of obtaining these client credentials is out of scope. EHL > Regarding this question I went through the discussions on the mailing > list and I got the following impression: > "+" means in favor of removing HTTP Basic Authentication and > "-" means against it. > "~" indicates that the person is OK with removing it under certain > conditions. > > +Eran > +Justin > ~Tony (OK with having it optional but does not want to remove it from > draft-ietf-oauth-v2) > ~Igor (OK with having it optional but does not want to remove it from > draft-ietf-oauth-v2) > +Marius > > Please correct me if I have forgotten someone. > > My reading of the feedback from the response on the list is that we have > a decision to make HTTP Basic authentication optional to implement (and > therefore the request parameters mandatory to implement). > > A secondary question is: "Should the **optional** HTTP Basic > Authentication functionality be included in the draft-ietf-oauth-v2 > specification?" > > Here are my two questions: > > 1) Do you insist on having the HTTP Basic authentication documented in > draft-ietf-oauth-v2? > > PLEASE NOTE: Having functionality in a separate document does not mean > that it will take longer to complete nor that it is less important. It > is purely a document management question! > > 2) If your answer to question (1) is "NO" then: > Would you be willing to co-author a document on this functionality? > > Since the response so far does not give me a rough consensus I would > like to get your feedback. > > Deadline for response: Feb, 10th 2011 > > Ciao > Hannes > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
