Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer

Julian Reschke <> Thu, 12 April 2012 13:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1026121F856C for <>; Thu, 12 Apr 2012 06:09:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.053
X-Spam-Status: No, score=-103.053 tagged_above=-999 required=5 tests=[AWL=-0.454, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yLGYLlrYxNPq for <>; Thu, 12 Apr 2012 06:09:15 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 0D02A21F854E for <>; Thu, 12 Apr 2012 06:09:14 -0700 (PDT)
Received: (qmail invoked by alias); 12 Apr 2012 13:09:13 -0000
Received: from (EHLO []) [] by (mp036) with SMTP; 12 Apr 2012 15:09:13 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+X+UxJ7OKX5XQhT54Q02s03gTb4Y1svNYghzJqhs Z2RMvE3Q5PG7bS
Message-ID: <>
Date: Thu, 12 Apr 2012 15:09:09 +0200
From: Julian Reschke <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Eran Hammer <>
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Pete Resnick <>, "" <>, Apps Discuss <>
Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Apr 2012 13:09:16 -0000

On 2012-04-12 14:56, Eran Hammer wrote:
> The issue is pretty simple. The OAuth bearer token specification defines an HTTP Authorization header scheme. It also provides a "hack" for sending the same authentication credentials direction in the HTTP request URI. For example:
> This in practice claims the 'access_token' URI query parameter as a reseved parameter name used by the bearer token specification. The reason is that any future (or existing) implementation using this parameter name will now be in conflict with the OAuth bearer token specification. We do not have a mechanism for reserving URI query parameters - but in practice, this updates RFC 3986 by taking ownership of the query parameter name.
> There were other voices on the OAuth WG to simply drop this mechanism but resistance from the authors and lack of strong consensus kept it in.
> I supported Mark's recommendation of dropping that mechanism.
> Hope this is helpful.
> EH
> ...

It is.

Right now the spec describes the two fallback methods and the auth 
scheme side-by side.

Maybe it should be reorganized so that is only mentions the 
query-parameter and form-based schemes as workarounds in an appendix, so 
that it becomes clearer that when you use those, you're *not* doing HTTP 
Bearer authentication?

Best regards, Julian