[CAMP-18] API Authentication/Authorization not clear and should leave scope for other auth mechanisms - OASIS Technical Committees Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Spec
Labels:
None

Proposal:

Hide

https://www.oasis-open.org/apps/org/workgroup/camp/download.php/50987/camp-spec-v1.1-wd24-issue18-r3-ajo.doc

Show
https://www.oasis-open.org/apps/org/workgroup/camp/download.php/50987/camp-spec-v1.1-wd24-issue18-r3-ajo.doc

Description

The spec talks about basic auth requirement:

"Each request will be authenticated using HTTP Basic Authentication [RFC2617] unless otherwise noted."

(Above, what does "will" mean, is it intended to be a MUST?)

Unless I missed it somewhere reading the spec, looks like it does not talk about other authentication/authorization mechanism such as OAuth2. OAuth2 is still a draft but in practice its implemented/used by many. For example, if a "application developer", might be able to use OAuth2 access token[1] as HTTP Authentication header[2] or in some cases as URI query parameter while calling a vendor's CAMP APIs.

It sounds like the spec intends to mandate basic auth as the only authentication mechanism. Perhaps it should allow OAuth2 or other authorization/authentication mechanism as extensibility or keep it open and adopt OAuth2 as it evolves during spec development.

[1]http://tools.ietf.org/html/draft-ietf-oauth-v2-27#section-7

[2]http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-19

This issue was drupal issue # 1086

Attachments

Activity

People

Assignee:

Adrian Otto (Inactive)

Reporter:

Anish Karmarkar (Inactive)

Watchers:

0 Start watching this issue

Dates

Created:

02/Nov/12 7:24 PM

Updated:

12/Feb/14 5:46 PM

Resolved:

10/Oct/13 3:52 PM