Re: [OAUTH-WG] Extra "Authorization: Basic" lines in examples
Shane B Weeden <sweeden@au1.ibm.com> Tue, 26 July 2011 04:58 UTC
Return-Path: <sweeden@au1.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73A6F11E80FD; Mon, 25 Jul 2011 21:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[AWL=-0.347, BAYES_00=-2.599, MIME_BASE64_BLANKS=0.041, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ga3U5ba1VmOE; Mon, 25 Jul 2011 21:58:29 -0700 (PDT)
Received: from e23smtp04.au.ibm.com (e23smtp04.au.ibm.com [202.81.31.146]) by ietfa.amsl.com (Postfix) with ESMTP id 9B87511E8072; Mon, 25 Jul 2011 21:58:28 -0700 (PDT)
Received: from d23relay05.au.ibm.com (d23relay05.au.ibm.com [202.81.31.247]) by e23smtp04.au.ibm.com (8.14.4/8.13.1) with ESMTP id p6Q4pxVF007135; Tue, 26 Jul 2011 14:51:59 +1000
Received: from d23av02.au.ibm.com (d23av02.au.ibm.com [9.190.235.138]) by d23relay05.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p6Q4vdk7741392; Tue, 26 Jul 2011 14:57:39 +1000
Received: from d23av02.au.ibm.com (loopback [127.0.0.1]) by d23av02.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p6Q4wICR019183; Tue, 26 Jul 2011 14:58:18 +1000
Received: from d23ml004.au.ibm.com (d23ml004.au.ibm.com [9.190.250.23]) by d23av02.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id p6Q4wIP4019178; Tue, 26 Jul 2011 14:58:18 +1000
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739434985C1B5@TK5EX14MBXC207.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739434985C1B5@TK5EX14MBXC207.redmond.corp.microsoft.com>
X-KeepSent: A2068027:F472A84C-4A2578D9:001B3B5C; type=4; name=$KeepSent
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Lotus Notes Release 8.5.1FP1 SHF20 February 10, 2010
Message-ID: <OFA2068027.F472A84C-ON4A2578D9.001B3B5C-4A2578D9.001B4FF9@au1.ibm.com>
From: Shane B Weeden <sweeden@au1.ibm.com>
Date: Tue, 26 Jul 2011 14:58:19 +1000
X-MIMETrack: Serialize by Router on d23ml004/23/M/IBM(Release 8.5.1FP4HF290 | June 6, 2011) at 26/07/2011 15:01:51
MIME-Version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: base64
Cc: "oauth@ietf.org" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Extra "Authorization: Basic" lines in examples
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2011 04:58:30 -0000
Mike - I don't think that's true for the resource owner password credentials flow that you showed below. The Authorization header is authenticating the client, the username/password POST body params represent the resource owner. From: Mike Jones <Michael.Jones@microsoft.com> To: "oauth@ietf.org" <oauth@ietf.org> Date: 26-07-11 02:31 PM Subject: [OAUTH-WG] Extra "Authorization: Basic" lines in examples Sent by: oauth-bounces@ietf.org In sections 4.1.3, 4.3.2, 4.4.2, and 6 of draft -20, the examples contain both the line “Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW” and credentials in the post body. For instance, the example from 4.3.2 is: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded;charset=UTF-8 grant_type=password&username=johndoe&password=A3ddj3w I believe that the “Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW” line should be deleted from all of these examples, as you either use Basic or credentials in the post body, but not both. Thanks, -- Mike _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Extra "Authorization: Basic" lines in … Mike Jones
- Re: [OAUTH-WG] Extra "Authorization: Basic" lines… Shane B Weeden
- Re: [OAUTH-WG] Extra "Authorization: Basic" lines… Bob Van Zant
- Re: [OAUTH-WG] Extra "Authorization: Basic" lines… Brian Campbell
- Re: [OAUTH-WG] Extra "Authorization: Basic" lines… Eran Hammer-Lahav