>Accessing protected resources is outside the scope of v2 but both Bearer and >MAC clearly allow any HTTP method.
Thanks for pointing out that Bearer describes the entire request. From the titles I had assumed that they just specified the format of the token. On quickly reading http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04, and then looking at all occurrences of the word "method" in the document, it doesn't seem to say what HTTP methods are permitted, beyond saying that GET can't be used when posting the token via form-encoded HTTP body. Perhaps it's in there somewhere and I was reading too fast. Furthermore, section 7 of http://tools.ietf.org/html/draft-ietf-oauth-v2-15 does not say "beyond the scope" or "outside the scope" anywhere. I took that section as a brief but meant-to-be-complete description of how to access protected resources, deferring to Bearer only for the purpose of describing the format of the access token itself. Of course, I now know that that isn't what you meant. In any case, I'm sure you're right about the intent of the two specifications, so I'm more comfortable with our present code than I was before. Thanks for the clarification. -----Original Message----- From: Eran Hammer-Lahav [mailto:[email protected]] Sent: Monday, April 18, 2011 4:30 PM To: Freeman, Tim; [email protected] Subject: RE: Can you use POST to access protected resources? I'm a bit surprised by this question... Accessing protected resources is outside the scope of v2 but both Bearer and MAC clearly allow any HTTP method. EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Freeman, Tim > Sent: Monday, April 18, 2011 4:26 PM > To: [email protected] > Subject: [OAUTH-WG] Can you use POST to access protected resources? > > Section 7 of http://tools.ietf.org/html/draft-ietf-oauth-v2-15 gives examples > of how to access protected resources. All of the examples use GET. > > Our protected resources are identified by a query, which might be a few > kilobytes. I'm concerned that this may not fit inside the length limitation > on > GET's for some web servers. Our present implementation does a POST > instead. > > Definition-by-example is easy to understand, but it is not good at > unambiguously specifying the boundary of permitted behavior. Was the > spec meant to allow using HTTP operations other than GET to access > protected resources? > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
