Yes, there are many development setups where all you can reasonably access is the URL to get. It's also much simpler to make use of the well-supported syntax helpers for query parameters instead of relying on new, custom formatting for newly-defined headers. The bearer token makes this simple by just having the value of the token, but other schemes have their own name/value pair formats and encodings that will inevitably cause hiccups.
-- Justin ________________________________________ From: Lukas Rosenstock [[email protected]] Sent: Thursday, March 10, 2011 11:49 AM To: William J. Mills Cc: Brian Eaton; Richer, Justin P.; OAuth WG Subject: Re: [OAUTH-WG] OAuth Bearer Token draft JSON-P (callback) works with <script> tags where no parameters can be set; this is used a lot in web applications that want to consume 3rd party APIs directly on the client side. So, yes, an alternative for the Authorization header is required - a.f.a.i.k this use case was one of the driving forces behind WRAP and bearer tokens. 2011/3/9 William J. Mills <[email protected]<mailto:[email protected]>> Is there really a need going forward for anything beyond using the Authorization header? Do we have clients out there that just can't set that header? Putting bearer tokens in query arguments is a very bad idea for many reasons, and in form variables has it's own set of badness (although not to the same level). -bill _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
