I'll make this more explicit in -16. Thanks.
EHL > -----Original Message----- > From: Freeman, Tim [mailto:[email protected]] > Sent: Monday, April 18, 2011 4:51 PM > To: Eran Hammer-Lahav; [email protected] > Subject: RE: Can you use POST to access protected resources? > > >Accessing protected resources is outside the scope of v2 but both Bearer > and MAC clearly allow any HTTP method. > > Thanks for pointing out that Bearer describes the entire request. From the > titles I had assumed that they just specified the format of the token. > > On quickly reading http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04, > and then looking at all occurrences of the word "method" in the document, it > doesn't seem to say what HTTP methods are permitted, beyond saying that > GET can't be used when posting the token via form-encoded HTTP body. > Perhaps it's in there somewhere and I was reading too fast. > > Furthermore, section 7 of http://tools.ietf.org/html/draft-ietf-oauth-v2-15 > does not say "beyond the scope" or "outside the scope" anywhere. I took > that section as a brief but meant-to-be-complete description of how to > access protected resources, deferring to Bearer only for the purpose of > describing the format of the access token itself. Of course, I now know that > that isn't what you meant. > > In any case, I'm sure you're right about the intent of the two specifications, > so I'm more comfortable with our present code than I was before. Thanks > for the clarification. > > -----Original Message----- > From: Eran Hammer-Lahav [mailto:[email protected]] > Sent: Monday, April 18, 2011 4:30 PM > To: Freeman, Tim; [email protected] > Subject: RE: Can you use POST to access protected resources? > > I'm a bit surprised by this question... > > Accessing protected resources is outside the scope of v2 but both Bearer and > MAC clearly allow any HTTP method. > > EHL > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > > Of Freeman, Tim > > Sent: Monday, April 18, 2011 4:26 PM > > To: [email protected] > > Subject: [OAUTH-WG] Can you use POST to access protected resources? > > > > Section 7 of http://tools.ietf.org/html/draft-ietf-oauth-v2-15 gives > > examples of how to access protected resources. All of the examples use > GET. > > > > Our protected resources are identified by a query, which might be a > > few kilobytes. I'm concerned that this may not fit inside the length > > limitation on GET's for some web servers. Our present implementation > > does a POST instead. > > > > Definition-by-example is easy to understand, but it is not good at > > unambiguously specifying the boundary of permitted behavior. Was the > > spec meant to allow using HTTP operations other than GET to access > > protected resources? > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
