[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OAUTH-WG] realms

From: Dan Winship <dan.winship at gmail.com>
To: "Manger, James H" <James.H.Manger at team.telstra.com>
Cc: "oauth at ietf.org" <oauth at ietf.org>
Date: Sun, 04 Oct 2009 10:11:49 -0400
In-reply-to: <255B9BB34FB7D647A506DC292726F6E1124423C1E8 at WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E1124423C1E8 at WSMSG3153V.srv.dir.telstra.com>

On 10/03/2009 12:26 PM, Manger, James H wrote:
> The only defined operation with a realm is to compare the realm values
> from different 401 responses from the same origin (scheme/host/port).

Although it's not really a "defined" operation, realms are also often
used in the UI by web browsers when presenting the password dialog; "The
web site has requested a password for '$realm'" or something.

> Once a client has learnt the realm for one resource it is reasonable to
> assume any sub-resource has the same realm.

This is not generically true, it's just something Basic and Digest both
explicitly add to the generic realm semantics. If it was convenient for
OAuth, you could say that the 401 response applies only to the exact URI
that it was returned from, and user agents should not attempt to reuse
the same authentication for any other URIs. Or you could do something
like Digest's "domain" parameter, giving an explicit list of other URIs
where the same auth can be reused.

-- Dan

References:
- [OAUTH-WG] realms
  - From: Manger, James H

Prev by Date: Re: [OAUTH-WG] Proposal for a New 2617 Scheme: Token
Next by Date: Re: [OAUTH-WG] Proposal for a New 2617 Scheme: Token
Previous by thread: Re: [OAUTH-WG] realms
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.