Eran Hammer-Lahav wrote:
One use case (I think I saw it mentioned somewhere else on the list) where we've used the URI parameters is when we want the server to sign a URL and then pass that signed value to the browser to load. This can be done with a simple 302 and the signed URL. Switching to just supporting the Authorization header will make this more difficult but probably not impossible.* Many web platforms do not provide access to the wire HTTP request URI (either on the client or server side) requires more research but it also holds the key to much of the protocol design, namely: - The canonicalization of the HTTP request parameter and URI - this was done due to the fact that at the time, many popular web platforms did not provide easy access to the raw HTTP request URI and headers. If this is no longer the case, OAuth can be significantly simplified to remove the need to process the parameters and only treat the request URI. - The inclusion of multiple parameter transmission methods - this was done due to lack of access to the Authorization header in some clients and server environment. If this is no longer a requirement or if we come to the conclusion that HTTP caching requires that we use the header in all requests, the need to support parameters in places other than the header will also go away.
Thanks, George
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.