On Fri, Jun 10, 2011 at 9:34 AM, John Kemp <[email protected]> wrote: > George, > > On Jun 10, 2011, at 4:11 PM, George Fletcher wrote: > >> I definitely don't want to change the Authorization header naming scheme. I >> believe it should stay 'Bearer' because that's what the token is. We could >> make it... >> >> Authorization: Bearer access_token=vF9dft4qmT >> >> If that helps with consistency. > > Well, it might seem more consistent, but I'm not sure it's worthwhile to make > the change just for that reason. > > Is it possible that the Bearer HTTP mechanism would ever take multiple > parameters? In which case, having the ability to name the parameters of the > Bearer mechanism might become more interesting.
Hard to say, but using a proper name/value pair has several advantages: - permits extensibility - no need to limit or define character set of access tokens (name is either "token" or "quoted string") - HTTP header parsers can properly deal with name/value pairs If we make changes to the GET/POST parameter name then I think we should also consider the header as well. Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
