> If we are going to support sending authentication credentials in the URI query, what are the > requirements to make sure it works well with proxies and caches? What headers do we > need to require the server to return to make sure it doesn't get cached? AFAICT, cache control headers and OAuth are completely orthogonal questions. Any web server returning any type of personal/private data must return cache-control headers. That's true whether the authentication is based on secret URLs, or cookies, or basic auth headers, or OAuth. Cheers, Brian
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.