On Sat, Oct 3, 2009 at 8:13 PM, Manger, James H <James.H.Manger at team.telstra.com> wrote: > One very real benefit is that established authentication schemes, such as BASIC > are already supported by frameworks/libraries/systems/infrastructure/plumbing. > I think Eran stated that one aim of the current OAuth work was to get OAuth > supported in those contexts, not just as app-layer libraries. > > Consider a networking library (eg java.net.URLConnection) that adds support for > TOKEN XXX WWW-Auth schemes (in addition to existing support for BASIC etc). The > library has no way of knowing if a caller is making a request in a "direct" or a > "delegated" context so it has no way of knowing if it should react to BASIC or TOKEN XXX. > All it can do is ask the caller (eg via a caller-supplied java.net.Authenticator), > "Have you got a username/password for this address/port/protocol/realm/scheme"? Almost nobody writes code that actually works this way today. In general applications know exactly what kind of authentication they are going to provide for a particular resource, and add it in a priori. Automatically figuring out that a particular resource requires a particular credential from a particular authority is tantamount to magic. I don't think we should guide the spec based on the assumption that someone is going to figure out how to do it. I'd prefer to assume that OAuth authentication starts after application code has figured out it is necessary and provided the necessary bootstrapping. Cheers, Brian
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.