Re: [OAUTH-WG] Call for Consensus on Document Split

["Manger, James H" <James.H.Manger@team.telstra.com>]

Eran,

> How would you suggest we define a general purpose www-authenticate
> header that does not have a matching request header?

Why would that be a problem?
We define what a "WWW-Authenticate: OAuth2 ..." response header means, but don't define any meaning for a "Authorization: OAuth2 ..." request header.
No other scheme should define a meaning for "Authorization: OAuth2 ...".
Consequently, the bearer token spec need to choose a different scheme name (eg "BEARER" or "TOKEN" or "EXTERNAL") so it can define request & response headers.

There is even some precedent for this. draft-broyer-http-cookie-auth defines "WWW-Authenticate: COOKIE ...", without any matching request header.
I think there have also been ideas to define something like "WWW-Authenticate: TLS ..." to indicate when authentication at a lower layer (TLS, IPsec) is required. Again there was no matching "Authorization: TLS ..." header.

--
James Manger