Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-v2

Mon, 06 Feb 2012 11:50:33 -0800 

+1 for consistent examples.

 -- Justin

On 02/06/2012 02:35 PM, Eran Hammer wrote:


Sending to the right place.

*From:*Thomas, Christopher (LLU) [mailto:[email protected]]
*Sent:* Monday, February 06, 2012 11:33 AM
*To:* [email protected]
*Subject:* Mail regarding draft-ietf-oauth-v2

Hello,
I'm looking into implementing the Oauth2 spec for a work project and I think I ran into an issue with the version 23 documentation. According to the Oauth2 documentation, a client can send it's credentials one of two ways: 1) via HTTP Basic Auth 2) via the request body parameters. Section 2.3.1 says "....the HTTP Basic authentication scheme as defined in [RFC2617] to authenticate with the authorization server. The client identifier is used as the username, and the client password is used as the password." 

The example given in Section 2.3.1 is:

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
According to RFC2617 Section 2, the value of the credential is a base64 representation of "username:password" (no quotes). This means when the value is decoded, it is "s6BhdRkqt3:gX1fBat3bV". So, according to the HTTP Basic Auth example, the client_id is s6BhdRkqt3 and the client_secret is gX1fBat3bV. Just below the basic auth example is the request body example: 

POST /token HTTP/1.1

     Host: server.example.com

     Content-Type: application/x-www-form-urlencoded;charset=UTF-8

     grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA

&client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
In the request body example, the client_secret does not match the client_secret in the HTTP Basic Auth example. I think the two should match for consistency. I propose the change that is in the patch attached to this email. 

Thank you for considering my suggestion.

Chris

Christopher Thomas, BA --- Systems Analyst/
/LOMA LINDA UNIVERSITY | Information Systems

Loma Linda University, Loma Linda, California 92350
x87866 or (909) 558-7866



_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to