On Sat, Oct 3, 2009 at 10:46 PM, Eran Hammer-Lahav <eran at hueniverse.com> wrote:Eran points out that I've posted several times to this thread without
> *** It would be helpful if other people chime in on this topic. This is a
> critical decision we need to make regarding new schemes. One proposal
> is to have different scheme for different type of access (direct vs. delegated).
> Another is to reusing existing scheme (with a new MAC-based one) for both
> usernames and tokens, and differentiating them on the server side using the
> credential structure (token or username) and on the client side using the
> realm parameter (and the header order). Of course, there are probably other
> proposals coming. ***
actually answering the question he asked. =)
I don't think we should use basic auth to send tokens. I'd rather see
us use a new auth scheme.
- basic auth has existing semantics for "realm". They aren't the same
semantics we need for OAuth.
- using the basic auth scheme would cripple our ability to add new
signature methods.
It is in theory possible to treat a token as a username and a token
secret as a password, but I don't think it would be a particularly
useful thing to do. If we want to use bearer tokens, we should just
drop the token secret altogether.
Cheers,
Brian
_______________________________________________
OAuth mailing list
OAuth at ietf.org
https://www.ietf.org/mailman/listinfo/oauth
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.