- From: Asbjørn Ulsberg <asbjorn@ulsberg.no>
- Date: Tue, 29 Jul 2025 11:32:28 +0200
- To: Atul Tulshibagwale <atul@sgnl.ai>
- Cc: ietf-http-wg@w3.org
tir. 22. juli 2025 kl. 22:53 skrev Atul Tulshibagwale <atul@sgnl.ai>: > The Authorization header cannot be used because it needs to be kept available for service-to-service > authorization such as SPIFFE. Sorry, but I find this a bit puzzling. How are services who receive both Authorization and Txn-Token headers supposed to behave? As far as I understand, both headers may contain a JWT containing scopes and claims. How are these scopes and claims supposed to be merged? Does one take precedent over the other? How are conflicts resolved? I would also appreciate if the spec could elaborate on the relationship between Txn-Token and W3C Trace Context: https://www.w3.org/TR/trace-context/ Specifically, I'd like the spec to outline why Trace Context can not be extended to fit the purpose of Txn-Token. -- Asbjørn Ulsberg -=|=- asbjorn@ulsberg.no «He's a loathsome offensive brute, yet I can't look away»
Received on Tuesday, 29 July 2025 09:32:45 UTC