|
|
|
|
|
|
by dlitz
5070 days ago
|
|
|
This is all way too complicated. All of the service-discovery you need can be encoded in the WWW-Authenticate header. The only problem that OAuth really solves is coming up with some way for a third party to get an arbitrary set of revocable credentials that authenticate the (user, app) pair instead of just having every app use user credentials directly (because that's a phishing hazard). All we need is a standardized mechanism for getting those credentials, and then we can all continue to use Basic and Digest authentication over HTTPS. OAuth 2.0 almost does that. It actually allows it, but it just has a little too much extra cruft. If you strip out refresh tokens, replace Bearer and MAC authentication with Basic and Digest authentication, mandate HTTPS, and add a couple of qop-options to the WWW-Authenticate header on the 401 response (see RFC 2617) that identify the authorization and token endpoints, you'd have a working standard, and it would be childsplay for anyone to implement it. EDIT: So the 401 response would looks something like: HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="foo", oauth2_auth="<URI>", oauth2_token="<URI>"
|
|
|