[OAUTH-WG] choice of credentials syntax, was: OAuth 2.0 Bearer Token Specification Draft -10

Julian Reschke <julian.reschke@gmx.de> Thu, 20 October 2011 08:45 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 19FC721F848A for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 01:45:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.704
X-Spam-Status: No, score=-103.704 tagged_above=-999 required=5 tests=[AWL=-1.105, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id bvwzO9yfUZc7 for <oauth@ietfa.amsl.com>; Thu, 20 Oct 2011 01:45:41 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net []) by ietfa.amsl.com (Postfix) with SMTP id 3760821F8BBC for <oauth@ietf.org>; Thu, 20 Oct 2011 01:45:41 -0700 (PDT)
Received: (qmail invoked by alias); 20 Oct 2011 08:45:39 -0000
Received: from p5DCC3E45.dip.t-dialin.net (EHLO []) [] by mail.gmx.net (mp062) with SMTP; 20 Oct 2011 10:45:39 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+7GMV6bsW7YOUi06LkpWLs1YEdRE0qdjZKopnuIE /zR3vjFULqI+v3
Message-ID: <4E9FDFAF.20505@gmx.de>
Date: Thu, 20 Oct 2011 10:45:35 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739435C24B1CA@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435C24B1CA@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: [OAUTH-WG] choice of credentials syntax, was: OAuth 2.0 Bearer Token Specification Draft -10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2011 08:45:42 -0000

On 2011-10-20 01:38, Mike Jones wrote:
> ...
> ·Removed the #auth-param option from Authorization header syntax
> (leaving only the b64token syntax).
> ...

I recommend that adding a rational, such as:

"The b64token syntax was chosen over an extensible parameter syntax (see 
[HTTPbisP7], Section 2.3.1) due to compatibility concerns with early 
implementations. If in the future, additional fields will be needed, a 
new authentication scheme will have to be defined".

(I think this captures what lead to the choice, and helps other readers 
understand why the spec isn't following the recommendations in the HTTP 
Authentication spec).

Best regards, Julian