Hi, in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05 section 5.2.2:
All challenges for this token type MUST use the auth-scheme value Bearer. This scheme MUST be followed by one or more auth-param values. Why is at least one auth-param required? It makes WWW-Authenticate: Bearer in response to a request lacking any authentication information (thus not containing an error auth-param attribute) non-compliant. The optional scope attribute is not useful in this case. The optional realm attribute may not be necessary (e.g. if there is only one realm). So to be compliant, you would have to add a non-meaningful auth-param like foo=bar. Note: While in rfc2617 challenge was defined as challenge = auth-scheme 1*SP 1#auth-param (requiring at least one auth-param), rfc7235 does not have this requirement: challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] -- Johannes Koch
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
